Malware, Phishing

Facebook, YouTube used in Brazilian phishing scheme

A cybercriminal gang has put together a phishing campaign that utilizes several trusted sources, along with insider help from a top tier security company service to convince its victims to open and download a malicious attachment.

Cofense Intelligence found the malicious actors, who are only targeting Brazilians, are extensively using trusted names, legitimate Windows services and the Cloudflare Workers to inject the Astaroth trojan with the aim of stealing banking credentials. However, despite the effort put forth by the gang Cofense researchers said the attacks can be stopped if the proper precautions, both human and technical, are in place.

The current campaign is sending emails only in Portuguese pretending to be either an invoice, show ticket or civil lawsuit. In each case the body of the email is socially engineered to convince the recipient to open and then download the attached .htm file.

Once the .htm file is downloaded a .zip archive geo-fenced to Brazil and containing malicious .LNK file is dropped. The insider threat is then used when the .LNK file downloads a JavaScript from a Cloudflare Worker’s account. This, in turn, downloads multiple files that help obfuscate and execute the Astaroth information stealer, including two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:Program FilesInternet ExplorerExtExport.exe’, Cofense wrote.

The latter downloads help with avoiding AV, white listing and URL filtering security functions.

The malware then uses a technique called process hollowing where it takes previously downloaded code and injects it into several legitimate programs, the most important of which is unins000.exe that is associated with the Brazilian banking system.

Astaroth then uses the normally trustworthy sites Youtube and Facebook profiles to host and maintain the C2 configuration data.

“ The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down,” Cofense wrote.

At this point the information stealer goes to work and gathers financial data, stored passwords in the browser, email client credentials and SSH credentials.

“Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures,” Cofense concluded.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.