The return of the Astaroth Spyware Trojan

Updated 27-09-2019 – IOC List

Bitdefender researchers found an interesting spike in malware activity that involved the use of Microsoft binaries in the infection process, as well as the use of GitHub and Google Drive for delivering payloads.

After analyzing the detection details we were able to identify this activity as a resurgence of the Astaroth spyware, a Trojan and information stealer known since late 2017.

Astaroth was first seen in 2017 and is considered an information stealer and Trojan. This campaign “lives off the land” by using Microsoft applications in the infection process to avoid detection by normal security detection techniques.

GitHub and Google Drive are used to store and deliver the payloads after certain criteria, such as Brazilian locale set and Portuguese keyboard, are met. Once installed, Astaroth captures key strokes when Internet Explorer (IE) is used to access specific Brazilian banks and businesses. To ensure the user doesn’t use Chrome or Firefox instead, the malware will actually terminate those browsers to force the user into IE. The infection vector is a malicious archive on the Internet that the user is tricked into downloading. An enticing .LNK file, clicked by the user, begins the infection by using cmd.exe with specified parameters. WMIC is invoked to download subsequent stages, pulling the parameter file from the Internet (Google Drive or GitHub).

In the table below, we can see the geolocation statistics about the targeted users. One can easily observe that the malware campaign targets mostly users from South America, especially Brazil.

Indicators of Compromise

IP Addresses / Domains

104.129.204.41
173.231.184.59
195.157.15.100
63.251.126.7
64.95.103.181
19analiticsx00220a.com
32ou4r9kwagc.hammer-escritorios.de
36ou6w4yhiat6.patrocinioscomerciais.de
6suehrwtdue1m.patrocinioscomerciais.de
7yaaa5w7woa8a.dracordocerto.com.br
a7aie85hyaeg9.paulosilvasoares.com.br
a7oueu1x3a6f.contratosadministrativoscasanova.de
annular-fold-251110.appspot.com
autumn-pond-1a5b.hipertowsa2jkil7.workers.dev
aventadorxkw1.net
aventadorxkw2.net
aventadorxkw3.net
billowing-morning-e8ad.number2one78jure.workers.dev
blissful-acumen-251110.appspot.com
blue-bonus-263d.ligasppk.workers.dev
cool-king-426c.ligasppk.workers.dev
crimson-waterfall-90d4.ligasppk.workers.dev
curly-credit-79e4.ligasppk.workers.dev
dry-hat-05c3.hipertowsa2jkil7.workers.dev
dry-wave-62b5.hipertowsa2jkil7.workers.dev
ducasyrack.info
ducasyrackw.info
ducasyrackx.website
ducasyracky.com
ducasyrackz.net
dynamic6666.com
e3eonr2jaao8r.administrativosfiscaisbr.de
e8iat1eu5aae6.representantecomercialilhaverde.de
eoeaic04euwv.promad-contabilidade.de
exumeianoite.info
fancy-frog-b457.ligasppk.workers.dev
fwadurhba31.paulosoaressilva.com.br
green-shape-8775.hipertowsa2jkil7.workers.dev
hidden-math-4d14.hipertowsa2jkil7.workers.dev
infects.maquina-turbo-huracan.adm.br
jacksonsfive.appjwa0ywl3a2h.paulosilvasoares.com.br
lingering-dew-2f75.devworks.workers.dev
lingering-fire-b1e5.hipertowsa2jkil7.workers.dev
little-dust-d4f3.number2one78jure.workers.dev
lucky-firefly-7e5f.true.workers.dev
lucky-tooth-57b7.true.workers.dev
morning-cherry-481e.hipertowsa2jkil7.workers.dev
nameless-field-4aaf.ligasppk.workers.dev
neon-well-251110.appspot.com
old-limit-a6af.hipertowsa2jkil7.workers.dev
old-surf-9b33.ligasppk.workers.dev
onyx-inn-251110.appspot.com
p1uifrt6eeuk9.representantecomercialilhaverde.de
polished-bread-7459.number2one78jure.workers.dev
proud-violet-18c3.ligasppk.workers.dev
qnccmvbrh.wilstonbrwsaq.pw
rapid-sea-58cf.number2one78jure.workers.dev
rising-beach-251110.appspot.com
rough-sunset-da24.number2one78jure.workers.dev
royal-haze-b4bb.hipertowsa2jkil7.workers.dev
sba8j8thar7.paulosilvasoares.com.br
sergulath.info
sergulathw.info
sergulathx.info
sergulathy.net
sergulathz.website
sisssnetttx2.com
sisssnetttx3.com
sisssnetttx4.com
sisssnetttx5.com
sisssnetttx6.in
sisssnetttx6.net
sisssnetttx6.net.br
small-glade-1d16.number2one78jure.workers.dev
small-tooth-1089.ligasppk.workers.dev
theastaroth.com
thelucifer.net
tight-fire-750f.number2one78jure.workers.dev
tight-rice-f842.hipertowsa2jkil7.workers.dev
twilight-voice-28c6.number2one78jure.workers.dev
valhalaxtz3.websitevalhalaxtz4.xyz
valhalaxtzx77.thaieasydns.com
voltaic-inn-251110.appspot.com
wandering-tooth-730c.ligasppk.workers.dev
y9ia31jniio8e.verificado.com.de

SHA1 File Hashes

  • 01782747C12Bf06A52704A144DB59FEC41B3CB36
  • 1F83403398964D4E8B6C70B171C51CD278909172
  • CE8BDB56CCAC55C6881701EBD39DA316EE7ED18D
  • 926137A50f473BBD257CD19E207C1C9114F6B215
  • 5579E03EB1DA076EF939196CB14F8B769F30A302
  • B2734835888756929EE3FF4DCDE85080CB299D2A
  • 206352E13D601239E2D043D971EA6657C091071A
  • EAE82A63A980998F8D388BCCE7D967F28309F593
  • 9CD5A399C9320CBFB87C9D1CAD3BC366FB12E54F
  • 206352E13D601239E2D043D971EA6657C091071A
  • 4CDE9A53A9A49D606BC89E74D47398A69E767056
  • F99319B1B321AE9F2D1F0361BC756A43D25444CE
  • B85C106B68ED410107f97A2CC38b7EC05353F1FA
  • 77809236FDF621ABE37B32BF073B0B893E9CE67A
  • B85C106B68ED410107f97A2CC38b7EC05353F1fA
  • C2F3350AC58DE900768032554C009C4A78C47CCC

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: