Facebook and YouTube profiles are at the heart of an ongoing phishing campaign spreading the Astaroth trojan, bent on the eventual exfiltration of sensitive information. The attack is sophisticated in that it uses normally trusted sources as cover for malicious activities – thus evading usually effective email and network security layers.
The attack starts with an .HTM file attached to an email, according to Aaron Riley, researcher at Cofense. He noted in an analysis this week that the emails come in three “flavors” – an invoice theme, a show ticket theme and a civil lawsuit theme.
“Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe,'” Riley explained. “Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security measures such as antivirus (AV), application white-listing, and URL filtering.”
After ExtExport.exe is running with the malicious code side-loaded, the evil script uses a technique known as process hollowing to infect a legitimate program with yet more malicious code.
Specifically, Astaroth uses YouTube and Facebook profiles to host and maintain the C2 configuration data.
“This C2 data is base64 encoded as well as custom encrypted,” Riley explained. “The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.”
Once the C2 information is gathered, Astaroth, which has been stealing sensitive information since at least 2017, then proceeds to collect financial information, stored passwords in the browser, email client credentials, SSH credentials and more – all of which is sent via HTTPS POST to a site hosted on Appspot, another legitimate service.
“This encrypted connection to another trusted source allows for the communication to bypass network security measures that cannot decrypt it,” Riley said. He added, “At each step [of this attack], the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures.”
This particular Astaroth campaign exclusively targets Brazilians, with emails written in Portuguese and the initial .ZIP archive geo-fenced to Brazil.
Also, “the legitimate programs that were targeted for process-hollowing were unins000.exe, svchost.exe and userinit.exe,” Riley noted. “The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil.”
However, there’s no reason the trojan’s operators can’t target other regions with similar tactics, and indeed was seen over the summer using .LNK in fileless campaigns in Europe. The method of obfuscating Astaroth activity with legitimate services bears watching, Riley noted.
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.