Astaroth Spy Trojan Uses Facebook, YouTube Profiles to Cover Tracks

astaroth spy trojan facebook youtube

At every turn, the info-stealer uses legitimate services to get around normal email, endpoint and network defenses.

Facebook and YouTube profiles are at the heart of an ongoing phishing campaign spreading the Astaroth trojan, bent on the eventual exfiltration of sensitive information. The attack is sophisticated in that it uses normally trusted sources as cover for malicious activities – thus evading usually effective email and network security layers.

The attack starts with an .HTM file attached to an email, according to Aaron Riley, researcher at Cofense. He noted in an analysis this week that the emails come in three “flavors” – an invoice theme, a show ticket theme and a civil lawsuit theme.

If the target clicks on the attachment, the .HTM file downloads a .ZIP archive that contains a malicious .LNK file. The .LNK file then downloads JavaScript code from a Cloudflare worker’s domain, which in turn downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information-stealer.

“Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe,'” Riley explained. “Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security measures such as antivirus (AV), application white-listing, and URL filtering.”

After ExtExport.exe is running with the malicious code side-loaded, the evil script uses a technique known as process hollowing to infect a legitimate program with yet more malicious code.

“Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript,” Riley explained. “After the [trusted] program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the command-and-control (C2) configuration data from outside trusted sources.”

Specifically, Astaroth uses YouTube and Facebook profiles to host and maintain the C2 configuration data.

“This C2 data is base64 encoded as well as custom encrypted,” Riley explained. “The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.”

Once the C2 information is gathered, Astaroth, which has been stealing sensitive information since at least 2017, then proceeds to collect financial information, stored passwords in the browser, email client credentials, SSH credentials and more – all of which is sent via HTTPS POST to a site hosted on Appspot, another legitimate service.

“This encrypted connection to another trusted source allows for the communication to bypass network security measures that cannot decrypt it,” Riley said. He added, “At each step [of this attack], the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures.”

This particular Astaroth campaign exclusively targets Brazilians, with emails written in Portuguese and the initial .ZIP archive geo-fenced to Brazil.

Also, “the legitimate programs that were targeted for process-hollowing were unins000.exe, svchost.exe and userinit.exe,” Riley noted. “The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil.”

However, there’s no reason the trojan’s operators can’t target other regions with similar tactics, and indeed was seen over the summer using .LNK in fileless campaigns in Europe. The method of obfuscating Astaroth activity with legitimate services bears watching, Riley noted.

“Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads,” Riley concluded. “This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.”

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles