Posted on May 12, 2020 at 2:43 PM
The Astaroth infostealer malware has continued to evolve to become one of the most potent malware strains in the world. Thankfully, the actors of the malware have limited themselves to Brazil alone. Since it was first discovered in the online space in September 2018, the Trojan has repeatedly targeted users in Brazil, as security researchers have revealed.
One reason why it’s so difficult to spot is that it contains a slew of anti-sandbox and anti-analysis checks to prevent detection by security researchers.
Malware has shifted focus since it was discovered
The first security researchers to discover and analyze the Trojan were IBM researchers. Afterward, Microsoft and Cybereason joined hands to analyze the evolution of the malware with findings released through two blog posts in July last year and March this year.
The researchers have been following Astaroth since then, with the latest revelation that the malware has developed a more sophisticated attack chain and refocused on stealth on a greater level.
In a report made available yesterday by Cisco Talos, Astaroth malware has seriously changed its operational methods since its inception. The report revealed that the malware has continued to evolve with new updates.
Although the Trojan still lives off the land (LOLbins) and relies on fileless execution and email campaigns for distribution, it has received two important updates.
The first of the updates is the collection of anti-sandbox and anti-analysis checks. According to the report, the malware usually executes after running on these checks. This makes sure the malware does not run inside a sandbox environment but on a real computer, which evades the scrutiny of security researchers.
Since the Astaroth actors have evaded the analysis of their operations, they can prevent having payloads linked as malware. The more dangerous thing is the infection rate expands as long as the group keeps staying out of radar. That means the longer they remain hidden the better chance of stealing more data they can offer for sale on the darknet.
The Malware is very difficult to analyze
According to the Cisco Talo team, “Astaroth is evasive by nature and its authors have taken every step to ensure its success.”
The team further revealed that the actors behind Astaroth malware have implemented a highly sophisticated mechanism that makes the malware very difficult to detect.
They started with impactful and effective lures and moved over to several layers of obfuscation before passing through a systematic check of both techniques and tools. That makes it quite difficult for researchers to identify any possible threat. The malware is also very difficult to analyze, according to the researchers.
Malware uses YouTube channel to hide its command servers
Not only is the malware very difficult to analyze, but it’s also very difficult to stop its communication. From the recent update the actors carried out, researchers discovered that the malware now hides the command and control servers (c2) using YouTube channel description.
Talos revealed that once Astaroth compromises any system, the malware links to a YouTube channel and uses the channel’s description field.
The description field has base64-encoded and encrypted texts with a web address to its command and control server. Once Astaroth has decoded the text, it links to the web addresses to store the stolen information and wait for new instructions.
But Asaroth’s method is more sophisticated because using YouTube is one of the many options the group has to discover and connect to the C & C server. They have developed other options.
What this means is Astaroth will simply move to other options to get its C & C server if YouTube deletes the channels.
The only good news about this development is the fact that the malware is only still operational in Brazil where it began. The actors are currently only targeting Brazilian users, but researchers believe this may change soon.