Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Astaroth
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Astaroth
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)
ID: S0373
Associated Software: Guildma
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 17 Apr 2019
Last Modified: 08 Dec 2020

Associated Software Descriptions
Name Description
Guildma (Citation: Securelist Brazilian Banking Malware July 2020)

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Astaroth creates a startup item for persistence. (Citation: Cofense Astaroth Sept 2018)
.009 Boot or Logon Autostart Execution: Shortcut Modification

Astaroth's initial payload is a malicious .LNK file. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Astaroth spawns a CMD process to execute commands. (Citation: Cybereason Astaroth Feb 2019)
.005 Command and Scripting Interpreter: Visual Basic

Astaroth has used malicious VBS e-mail attachments for execution.(Citation: Securelist Brazilian Banking Malware July 2020)

.007 Command and Scripting Interpreter: JavaScript

Astaroth uses JavaScript to perform its core functionalities. (Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Astaroth encodes data using Base64 before sending it to the C2 server. (Citation: Cofense Astaroth Sept 2018)
Enterprise T1074 .001 Data Staged: Local Data Staging

Astaroth collects data in a plaintext file named r1.log before exfiltration. (Citation: Cofense Astaroth Sept 2018)
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Astaroth has used a DGA in C2 communications.(Citation: Cybereason Astaroth Feb 2019)
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. (Citation: Cybereason Astaroth Feb 2019)
.004 Hide Artifacts: NTFS File Attributes

Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.(Citation: Securelist Brazilian Banking Malware July 2020)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Astaroth can launch itself via DLL Search Order Hijacking.(Citation: Securelist Brazilian Banking Malware July 2020)
Enterprise T1056 .001 Input Capture: Keylogging

Astaroth logs keystrokes from the victim's machine. (Citation: Cofense Astaroth Sept 2018)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Astaroth uses a software packer called Pe123\RPolyCryptor.(Citation: Cybereason Astaroth Feb 2019)
Enterprise T1598 .002 Phishing for Information: Spearphishing Attachment

Astaroth has been delivered via malicious e-mail attachments.(Citation: Securelist Brazilian Banking Malware July 2020)
Enterprise T1055 .012 Process Injection: Process Hollowing

Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. (Citation: Cofense Astaroth Sept 2018)
Enterprise T1218 .001 System Binary Proxy Execution: Compiled HTML File

Astaroth uses ActiveX objects for file execution and manipulation. (Citation: Cofense Astaroth Sept 2018)
.010 System Binary Proxy Execution: Regsvr32

Astaroth can be loaded through regsvr32.exe.(Citation: Cybereason Astaroth Feb 2019)

Enterprise T1204 .002 User Execution: Malicious File

Astaroth has used malicious files including VBS, LNK, and HTML for execution.(Citation: Securelist Brazilian Banking Malware July 2020)
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.(Citation: Securelist Brazilian Banking Malware July 2020)
Enterprise T1102 .001 Web Service: Dead Drop Resolver

Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.(Citation: Securelist Brazilian Banking Malware July 2020)

References

  1. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  2. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  3. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.