Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)
ID: S0373
Associated Software: Guildma
Type: MALWARE
Platforms: Windows
Version: 2.3
Created: 17 Apr 2019
Last Modified: 25 Sep 2024

Associated Software Descriptions

Name Description
Guildma (Citation: Securelist Brazilian Banking Malware July 2020)

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Astaroth creates a startup item for persistence. (Citation: Cofense Astaroth Sept 2018)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Astaroth's initial payload is a malicious .LNK file. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Astaroth spawns a CMD process to execute commands. (Citation: Cybereason Astaroth Feb 2019)

.005 Command and Scripting Interpreter: Visual Basic

Astaroth has used malicious VBS e-mail attachments for execution.(Citation: Securelist Brazilian Banking Malware July 2020)

.007 Command and Scripting Interpreter: JavaScript

Astaroth uses JavaScript to perform its core functionalities. (Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Astaroth encodes data using Base64 before sending it to the C2 server. (Citation: Cofense Astaroth Sept 2018)

Enterprise T1074 .001 Data Staged: Local Data Staging

Astaroth collects data in a plaintext file named r1.log before exfiltration. (Citation: Cofense Astaroth Sept 2018)

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Astaroth has used a DGA in C2 communications.(Citation: Cybereason Astaroth Feb 2019)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. (Citation: Cybereason Astaroth Feb 2019)

.004 Hide Artifacts: NTFS File Attributes

Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Astaroth can launch itself via DLL Search Order Hijacking.(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1056 .001 Input Capture: Keylogging

Astaroth logs keystrokes from the victim's machine. (Citation: Cofense Astaroth Sept 2018)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Astaroth uses a software packer called Pe123\RPolyCryptor.(Citation: Cybereason Astaroth Feb 2019)

.010 Obfuscated Files or Information: Command Obfuscation

Astaroth has obfuscated and randomized parts of the JScript code it is initiating.(Citation: Cybereason Astaroth Feb 2019)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Astaroth has been delivered via malicious e-mail attachments.(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1055 .012 Process Injection: Process Hollowing

Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. (Citation: Cofense Astaroth Sept 2018)

Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

Astaroth uses ActiveX objects for file execution and manipulation. (Citation: Cofense Astaroth Sept 2018)

.010 System Binary Proxy Execution: Regsvr32

Astaroth can be loaded through regsvr32.exe.(Citation: Cybereason Astaroth Feb 2019)

Enterprise T1204 .002 User Execution: Malicious File

Astaroth has used malicious files including VBS, LNK, and HTML for execution.(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1102 .001 Web Service: Dead Drop Resolver

Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.(Citation: Securelist Brazilian Banking Malware July 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.