Astaroth is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. [1] [2]

ID: S0373
Platforms: Windows
Contributors: Carlos Borges, @huntingneo, CIP
Version: 1.2
Created: 17 April 2019
Last Modified: 23 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .009 Boot or Logon Autostart Execution: Shortcut Modification

Astaroth's initial payload is a malicious .LNK file. [2][1]

.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Astaroth creates a startup item for persistence. [2]

Enterprise T1115 Clipboard Data

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [1]

Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript/JScript

Astaroth uses JavaScript to perform its core functionalities. [2]

.003 Command and Scripting Interpreter: Windows Command Shell

Astaroth spawns a CMD process to execute commands. [1]

Enterprise T1555 Credentials from Password Stores

Astaroth uses an external software known as NetPass to recover passwords. [1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Astaroth encodes data using Base64 before sending it to the C2 server. [2]

Enterprise T1074 .001 Data Staged: Local Data Staging

Astaroth collects data in a plaintext file named r1.log before exfiltration. [2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [1]

Enterprise T1041 Exfiltration Over C2 Channel

Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. [1]

Enterprise T1105 Ingress Tool Transfer

Astaroth uses certutil and BITSAdmin to download additional malware. [2][1]

Enterprise T1056 .001 Input Capture: Keylogging

Astaroth logs keystrokes from the victim's machine. [2]

Enterprise T1027 Obfuscated Files or Information

Astaroth obfuscates its JScript code.[1]

.002 Software Packing

Astaroth uses a software packer called Pe123\RPolyCryptor.[1]

Enterprise T1057 Process Discovery

Astaroth searches for different processes on the system. [1]

Enterprise T1055 .012 Process Injection: Process Hollowing

Astaroth searches for unins000.exe (GAS Tecnologia software), Syswow64\userinit.exe or System32\userinit.exe to evasively create a new process in suspended state. [1]

Enterprise T1129 Shared Modules

Astaroth uses the LoadLibraryExW() function to load additional modules. [1]

Enterprise T1218 .001 Signed Binary Proxy Execution: Compiled HTML File

Astaroth uses ActiveX objects for file execution and manipulation. [2]

.010 Signed Binary Proxy Execution: Regsvr32

Astaroth can be loaded through regsvr32.exe.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [2]

Enterprise T1082 System Information Discovery

Astaroth collects the machine name and keyboard language from the system. [2][1]

Enterprise T1016 System Network Configuration Discovery

Astaroth collects the external IP address from the system. [2]

Enterprise T1124 System Time Discovery

Astaroth collects the timestamp from the infected machine. [2]

Enterprise T1552 Unsecured Credentials

Astaroth uses an external software known as NetPass to recover passwords. [1]

Enterprise T1047 Windows Management Instrumentation

Astaroth uses WMIC to execute payloads. [2]

Enterprise T1220 XSL Script Processing

Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. [1]