Saturday, September 26, 17:02
Home security Astaroth trojan: Hides command servers in descriptions of Youtube channels

Astaroth trojan: Hides command servers in descriptions of Youtube channels

Last year, trojan Astaroth infostealer was rated as one of the most "silent" malware executives, containing a series of anti-analysis and anti-sandbox controls to prevent researchers. security identify and analyze its functions. However, this trojan seems to be targeting users in only one country so far, Brazil. In particular, it has been targeting Brazilian users since it was first spotted, in September 2018.

Her researchers IBM were the first to locate and analyze the trojan Astaroth infostealer, followed by Cybereason and Microsoft. In particular, Microsoft analyzed the evolution of this malware in two separate blog spots, one in July 2019 and one in March 2020. In all these reports, the researchers noted how Astaroth trojan gradually acquired new features, developed a more complex chain of infections and how it evolved into a “hidden ”Malware. In a new report, h Cisco Talos pointed out that Astaroth trojan continues to evolve. In addition, trojan is still based on campaigns e-mail and in LOLbins, but has also acquired two important new elements. The first of these is a new and fairly large collection of anti-analysis and anti-sandbox controls. In particular, malware performs these checks before it is executed, to make sure that it is executed on a real computer and not in a test environment, where it could be analyzed by security researchers.

By avoiding analyzing trojan functions, the gang behind Astaroth infostealer can avoid marking payloads as malware. The more the team remains under the radar of security solutions, the higher the rate of infection and the more data it can collect from victims and then sell it online to other criminal groups. According to Cisco Talos, the Astaroth team has taken all the necessary steps to help ensure the success of the trojan. In particular, it has implemented a complex labyrinth of anti-analysis and anti-sandbox controls to prevent malware from being detected or analyzed. He then performs checks on the tools and techniques of both the researchers and the technology. sandbox. So, this malware is very difficult to detect, let alone analyze, as the researchers report. However, even if it was not so difficult to analyze this trojan, stopping its "means of communication" is also a difficult process. In particular, Astaroth now uses YouTube channel descriptions to hide the URL for its command and control servers (C2).

According to Cisco Talos, after the Astaroth trojan infects a victim, it connects to a YouTube channel, from where it retrieves the channel's description field. The field contains encrypted and base64 coded text with addresses URL of command and control server of. After decoding the text, Astaroth connects to these URLs to receive new instructions and send the stolen information for future storage. This method of hiding the location of the C&C server on YouTube is nothing new. It was used before 2015 by Janicab and in 2019 by Stantinko. However, at Astaroth, this method of hiding the URL of the C&C server on YouTube is just one of three redundant methods of discovering and connecting to C&C servers, Cisco Talos said, showing once again Astaroth's highest level of expertise. compared to other malware campaigns. This means that even if YouTube removes them channels, Astaroth switches to another system to acquire its C&C servers. Currently, this trojan is only active in Brazil. However, if it spreads around the world, it can cause a serious number of infections due to its complexity but also due to the fast pace at which it is evolving. Astaroth trojan is always trying to be one step ahead of security companies, moving to another infrastructure at regular intervals.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Mac: See how to rename multiple files at once!

Many people have more difficulty renaming files on a Mac than renaming Windows. The Finder of ...

How can you control the performance of your Chromebook?

Many times users wonder about the performance of their computer and would like to be able to take a look at the system ...

How To Detect Hidden Surveillance Cameras With Your Phone

During our holidays or on business trips, we are forced to stay in hotels or Airbnb ....

How to play the hidden game of Android 11

Google usually includes the so-called "Easter Eggs" in every new version of Android that is released. And Android 11 is not ...

Ring: Amazon's new device is a drone with a security camera

Amazon is ready to launch a new Ring security camera mounted on top of a flying drone.

Software developers were very productive during the pandemic

The productivity of most software development teams increased during the Covid-19 pandemic crisis, according to a new study. But if you are ...

Cisco: 25 Serious Defects in IOS and IOS XE Software

Cisco has warned customers using IOS and ISO XE software to apply updates for 25 high-security vulnerabilities ...

The new Microsoft Edge feature will reduce memory and CPU usage

To improve memory and CPU usage on the Edge, Microsoft is developing a new feature called "Sleeping Tabs".

Microsoft: Removed 18 Azure AD apps controlled by Chinese hackers

Microsoft announced yesterday that it has removed 18 Azure Active Directory apps from the Azure portal, which were developed and used maliciously by ...

Possible penalties for CEOs of Google, Facebook, and Twitter

The Senate Commerce Committee asked the CEOs of Google, Facebook and Twitter to testify on October 1.