""Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations," McAfee Labs researchers Harshil Patel and Prabudh Chakravorty said in a report. "When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running.""
"The latest attack chain is no different in that it also begins with a DocuSign-themed phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file, which, when opened, installs Astaroth on the compromised host. The LNK file incorporates obfuscated JavaScript that's responsible for fetching additional JavaScript from an external server. The newly fetched JavaScript code, for its part, downloads a number of files from one of the randomly selected hard-coded servers."
"This includes an AutoIt script that's executed by the JavaScript payload, following which it loads and runs shellcode, which, in turn, loads a Delphi-based DLL to decrypt and inject the Astaroth malware into a newly created RegSvc.exe process."
Astaroth operators host malware configurations on GitHub repositories to survive traditional C2 takedowns and pull fresh configurations when infrastructure is disrupted. The campaign primarily targets Brazil and multiple Latin American countries including Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. The infection begins with a DocuSign-themed phishing email delivering a zipped .lnk shortcut that executes obfuscated JavaScript to fetch additional JavaScript and files from hard-coded servers. The payload runs an AutoIt script, executes shellcode, and uses a Delphi DLL to decrypt and inject Astaroth into a RegSvc.exe process. Astaroth monitors victims' banking site visits.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]