Last year, trojan Astaroth infostealer was rated as one of the most "silent" malware executives, containing a series of anti-analysis and anti-sandbox controls to prevent researchers. security identify and analyze its functions. However, this trojan seems to be targeting users in only one country so far, Brazil. In particular, it has been targeting Brazilian users since it was first spotted, in September 2018.
Her researchers IBM were the first to locate and analyze the trojan Astaroth infostealer, followed by Cybereason and Microsoft. In particular, Microsoft analyzed the evolution of this malware in two separate blog spots, one in July 2019 and one in March 2020. In all these reports, the researchers noted how Astaroth trojan gradually acquired new features, developed a more complex chain of infections and how it evolved into a “hidden ”Malware. In a new report, h Cisco Talos pointed out that Astaroth trojan continues to evolve. In addition, trojan is still based on campaigns e-mail and in LOLbins, but has also acquired two important new elements. The first of these is a new and fairly large collection of anti-analysis and anti-sandbox controls. In particular, malware performs these checks before it is executed, to make sure that it is executed on a real computer and not in a test environment, where it could be analyzed by security researchers.
By avoiding analyzing trojan functions, the gang behind Astaroth infostealer can avoid marking payloads as malware. The more the team remains under the radar of security solutions, the higher the rate of infection and the more data it can collect from victims and then sell it online to other criminal groups. According to Cisco Talos, the Astaroth team has taken all the necessary steps to help ensure the success of the trojan. In particular, it has implemented a complex labyrinth of anti-analysis and anti-sandbox controls to prevent malware from being detected or analyzed. He then performs checks on the tools and techniques of both the researchers and the technology. sandbox. So, this malware is very difficult to detect, let alone analyze, as the researchers report. However, even if it was not so difficult to analyze this trojan, stopping its "means of communication" is also a difficult process. In particular, Astaroth now uses YouTube channel descriptions to hide the URL for its command and control servers (C2).
According to Cisco Talos, after the Astaroth trojan infects a victim, it connects to a YouTube channel, from where it retrieves the channel's description field. The field contains encrypted and base64 coded text with addresses URL of command and control server of. After decoding the text, Astaroth connects to these URLs to receive new instructions and send the stolen information for future storage. This method of hiding the location of the C&C server on YouTube is nothing new. It was used before 2015 by Janicab and in 2019 by Stantinko. However, at Astaroth, this method of hiding the URL of the C&C server on YouTube is just one of three redundant methods of discovering and connecting to C&C servers, Cisco Talos said, showing once again Astaroth's highest level of expertise. compared to other malware campaigns. This means that even if YouTube removes them channels, Astaroth switches to another system to acquire its C&C servers. Currently, this trojan is only active in Brazil. However, if it spreads around the world, it can cause a serious number of infections due to its complexity but also due to the fast pace at which it is evolving. Astaroth trojan is always trying to be one step ahead of security companies, moving to another infrastructure at regular intervals.