Astaroth is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. [1] [2]

ID: S0373
Platforms: Windows
Contributors: Carlos Borges, @huntingneo, CIP
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1115 Clipboard Data Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [1]
Enterprise T1059 Command-Line Interface Astaroth spawns a CMD process to execute commands. [1]
Enterprise T1223 Compiled HTML File Astaroth uses ActiveX objects for file execution and manipulation. [2]
Enterprise T1003 Credential Dumping Astaroth uses an external software known as NetPass to recover passwords. [1]
Enterprise T1132 Data Encoding Astaroth encodes data using Base64 before sending it to the C2 server. [2]
Enterprise T1074 Data Staged Astaroth collects data in a plaintext file named r1.log before exfiltration. [2]
Enterprise T1140 Deobfuscate/Decode Files or Information Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [1]
Enterprise T1129 Execution through Module Load Astaroth uses the LoadLibraryExW() function to load additional modules. [1]
Enterprise T1041 Exfiltration Over Command and Control Channel Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [1]
Enterprise T1143 Hidden Window Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. [1]
Enterprise T1056 Input Capture Astaroth logs keystrokes from the victim's machine. [2]
Enterprise T1027 Obfuscated Files or Information Astaroth obfuscates its JScript code. [1]
Enterprise T1057 Process Discovery Astaroth searches for different processes on the system. [1]
Enterprise T1093 Process Hollowing Astaroth searches for unins000.exe (GAS Tecnologia software), Syswow64\userinit.exe or System32\userinit.exe to evasively create a new process in suspended state. [1]
Enterprise T1060 Registry Run Keys / Startup Folder Astaroth creates a startup item for persistence. [2]
Enterprise T1117 Regsvr32 Astaroth can be loaded through regsvr32.exe. [1]
Enterprise T1105 Remote File Copy Astaroth uses certutil and BITSAdmin to download additional malware. [2] [1]
Enterprise T1064 Scripting Astaroth uses JavaScript to perform its core functionalities. [2]
Enterprise T1063 Security Software Discovery Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [2]
Enterprise T1023 Shortcut Modification Astaroth's initial payload is a malicious .LNK file.(Citation :Cybereason Astaroth Feb 2019) [2]
Enterprise T1045 Software Packing Astaroth uses a software packer called Pe123\RPolyCryptor. [1]
Enterprise T1082 System Information Discovery Astaroth collects the machine name and keyboard language from the system. [2] [1]
Enterprise T1016 System Network Configuration Discovery Astaroth collects the external IP address from the system. [2]
Enterprise T1124 System Time Discovery Astaroth collects the timestamp from the infected machine. [2]
Enterprise T1047 Windows Management Instrumentation Astaroth uses WMIC to execute payloads. [2]
Enterprise T1220 XSL Script Processing Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. [1]