1. Home
  2. Software
  3. Astaroth

Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [1][2][3]

ID: S0373
Associated Software: Guildma
Type: MALWARE
Platforms: Windows
Contributors: Carlos Borges, @huntingneo, CIP
Version: 2.3
Created: 17 April 2019
Last Modified: 25 September 2024
Version Permalink

Associated Software Descriptions

Name Description
Guildma

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Astaroth creates a startup item for persistence. [2]
.009 Boot or Logon Autostart Execution: Shortcut Modification

Astaroth's initial payload is a malicious .LNK file. [2][1]
Enterprise T1115 Clipboard Data

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Astaroth spawns a CMD process to execute commands. [1]
.005 Command and Scripting Interpreter: Visual Basic

Astaroth has used malicious VBS e-mail attachments for execution.[3]
.007 Command and Scripting Interpreter: JavaScript

Astaroth uses JavaScript to perform its core functionalities. [2][3]
Enterprise T1555 Credentials from Password Stores

Astaroth uses an external software known as NetPass to recover passwords. [1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Astaroth encodes data using Base64 before sending it to the C2 server. [2]
Enterprise T1074 .001 Data Staged: Local Data Staging

Astaroth collects data in a plaintext file named r1.log before exfiltration. [2]
Enterprise T1140 Deobfuscate/Decode Files or Information

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [1][3]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Astaroth has used a DGA in C2 communications.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [1]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. [1]
.004 Hide Artifacts: NTFS File Attributes

Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.[3]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Astaroth can launch itself via DLL Search Order Hijacking.[3]
Enterprise T1105 Ingress Tool Transfer

Astaroth uses certutil and BITSAdmin to download additional malware. [2][1][3]
Enterprise T1056 .001 Input Capture: Keylogging

Astaroth logs keystrokes from the victim's machine. [2]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Astaroth uses a software packer called Pe123\RPolyCryptor.[1]
.010 Obfuscated Files or Information: Command Obfuscation

Astaroth has obfuscated and randomized parts of the JScript code it is initiating.[1]
.013 Obfuscated Files or Information: Encrypted/Encoded File

Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.[3]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Astaroth has been delivered via malicious e-mail attachments.[3]
Enterprise T1057 Process Discovery

Astaroth searches for different processes on the system.[1]
Enterprise T1055 .012 Process Injection: Process Hollowing

Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.[1][3]
Enterprise T1129 Shared Modules

Astaroth uses the LoadLibraryExW() function to load additional modules. [1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [2]
Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

Astaroth uses ActiveX objects for file execution and manipulation. [2]
.010 System Binary Proxy Execution: Regsvr32

Astaroth can be loaded through regsvr32.exe.[1]
Enterprise T1082 System Information Discovery

Astaroth collects the machine name and keyboard language from the system. [2][1]
Enterprise T1016 System Network Configuration Discovery

Astaroth collects the external IP address from the system. [2]
Enterprise T1124 System Time Discovery

Astaroth collects the timestamp from the infected machine. [2]
Enterprise T1552 Unsecured Credentials

Astaroth uses an external software known as NetPass to recover passwords. [1]
Enterprise T1204 .002 User Execution: Malicious File

Astaroth has used malicious files including VBS, LNK, and HTML for execution.[3]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.[3]
Enterprise T1102 .001 Web Service: Dead Drop Resolver

Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.[3]
Enterprise T1047 Windows Management Instrumentation

Astaroth uses WMIC to execute payloads. [2]
Enterprise T1220 XSL Script Processing

Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. [1]

References

  1. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  2. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  1. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.