1. Home
  2. Software
  3. Astaroth

Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [1][2][3]

ID: S0373
Associated Software: Guildma
Type: MALWARE
Platforms: Windows
Contributors: Carlos Borges, @huntingneo, CIP
Version: 2.3
Created: 17 April 2019
Last Modified: 25 September 2024

Associated Software Descriptions

Name Description
Guildma

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Astaroth uses WMIC to execute payloads. [2]
Enterprise T1220 XSL脚本处理

Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. [1]
Enterprise T1555 从密码存储中获取凭证

Astaroth uses an external software known as NetPass to recover passwords. [1]
Enterprise T1129 共享模块

Astaroth uses the LoadLibraryExW() function to load additional modules. [1]
Enterprise T1115 剪贴板数据

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [1]
Enterprise T1568 .002 动态解析: Domain Generation Algorithms

Astaroth has used a DGA in C2 communications.[1]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Astaroth can launch itself via DLL Search Order Hijacking.[3]
Enterprise T1140 反混淆/解码文件或信息

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [1][3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Astaroth creates a startup item for persistence. [2]
.009 启动或登录自动启动执行: Shortcut Modification

Astaroth's initial payload is a malicious .LNK file. [2][1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Astaroth spawns a CMD process to execute commands. [1]
.005 命令与脚本解释器: Visual Basic

Astaroth has used malicious VBS e-mail attachments for execution.[3]
.007 命令与脚本解释器: JavaScript

Astaroth uses JavaScript to perform its core functionalities. [2][3]
Enterprise T1074 .001 数据分段: Local Data Staging

Astaroth collects data in a plaintext file named r1.log before exfiltration. [2]
Enterprise T1132 .001 数据编码: Standard Encoding

Astaroth encodes data using Base64 before sending it to the C2 server. [2]
Enterprise T1552 未加密凭证

Astaroth uses an external software known as NetPass to recover passwords. [1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Astaroth uses a software packer called Pe123\RPolyCryptor.[1]
.010 混淆文件或信息: Command Obfuscation

Astaroth has obfuscated and randomized parts of the JScript code it is initiating.[1]
.013 混淆文件或信息: Encrypted/Encoded File

Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.[3]
Enterprise T1204 .002 用户执行: Malicious File

Astaroth has used malicious files including VBS, LNK, and HTML for execution.[3]
Enterprise T1218 .001 系统二进制代理执行: Compiled HTML File

Astaroth uses ActiveX objects for file execution and manipulation. [2]
.010 系统二进制代理执行: Regsvr32

Astaroth can be loaded through regsvr32.exe.[1]
Enterprise T1082 系统信息发现

Astaroth collects the machine name and keyboard language from the system. [2][1]
Enterprise T1124 系统时间发现

Astaroth collects the timestamp from the infected machine. [2]
Enterprise T1016 系统网络配置发现

Astaroth collects the external IP address from the system. [2]
Enterprise T1102 .001 网络服务: Dead Drop Resolver

Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.[3]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.[3]
Enterprise T1518 .001 软件发现: Security Software Discovery

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [2]
Enterprise T1105 输入工具传输

Astaroth uses certutil and BITSAdmin to download additional malware. [2][1][3]
Enterprise T1056 .001 输入捕获: Keylogging

Astaroth logs keystrokes from the victim's machine. [2]
Enterprise T1057 进程发现

Astaroth searches for different processes on the system.[1]
Enterprise T1055 .012 进程注入: Process Hollowing

Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.[1][3]
Enterprise T1041 通过C2信道渗出

Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Astaroth has been delivered via malicious e-mail attachments.[3]
Enterprise T1564 .003 隐藏伪装: Hidden Window

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. [1]
.004 隐藏伪装: NTFS File Attributes

Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.[3]

References

  1. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  2. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  1. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.