Astaroth
Associated Software Descriptions |
|
Name | Description |
---|---|
Guildma | (Citation: Securelist Brazilian Banking Malware July 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Astaroth creates a startup item for persistence. (Citation: Cofense Astaroth Sept 2018) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Astaroth's initial payload is a malicious .LNK file. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019) |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Astaroth spawns a CMD process to execute commands. (Citation: Cybereason Astaroth Feb 2019) |
.005 | Command and Scripting Interpreter: Visual Basic |
Astaroth has used malicious VBS e-mail attachments for execution.(Citation: Securelist Brazilian Banking Malware July 2020) |
||
.007 | Command and Scripting Interpreter: JavaScript |
Astaroth uses JavaScript to perform its core functionalities. (Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Astaroth encodes data using Base64 before sending it to the C2 server. (Citation: Cofense Astaroth Sept 2018) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Astaroth collects data in a plaintext file named r1.log before exfiltration. (Citation: Cofense Astaroth Sept 2018) |
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
Astaroth has used a DGA in C2 communications.(Citation: Cybereason Astaroth Feb 2019) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Astaroth loads its module with the XSL script parameter |
.004 | Hide Artifacts: NTFS File Attributes |
Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.(Citation: Securelist Brazilian Banking Malware July 2020) |
||
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Astaroth can launch itself via DLL Search Order Hijacking.(Citation: Securelist Brazilian Banking Malware July 2020) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Astaroth logs keystrokes from the victim's machine. (Citation: Cofense Astaroth Sept 2018) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Astaroth uses a software packer called Pe123\RPolyCryptor.(Citation: Cybereason Astaroth Feb 2019) |
.010 | Obfuscated Files or Information: Command Obfuscation |
Astaroth has obfuscated and randomized parts of the JScript code it is initiating.(Citation: Cybereason Astaroth Feb 2019) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.(Citation: Securelist Brazilian Banking Malware July 2020) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Astaroth has been delivered via malicious e-mail attachments.(Citation: Securelist Brazilian Banking Malware July 2020) |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Astaroth checks for the presence of Avast antivirus in the |
Enterprise | T1218 | .001 | System Binary Proxy Execution: Compiled HTML File |
Astaroth uses ActiveX objects for file execution and manipulation. (Citation: Cofense Astaroth Sept 2018) |
.010 | System Binary Proxy Execution: Regsvr32 |
Astaroth can be loaded through regsvr32.exe.(Citation: Cybereason Astaroth Feb 2019) |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
Astaroth has used malicious files including VBS, LNK, and HTML for execution.(Citation: Securelist Brazilian Banking Malware July 2020) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.(Citation: Securelist Brazilian Banking Malware July 2020) |
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.(Citation: Securelist Brazilian Banking Malware July 2020) |
References
- Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.