A cybercriminal gang has put together a phishing campaign that utilizes several trusted sources, along with insider help from a top tier security company service to convince its victims to open and download a malicious attachment.
Cofense Intelligence found the malicious actors, who are only targeting Brazilians, are extensively using trusted names, legitimate Windows services and the Cloudflare Workers to inject the Astaroth trojan with the aim of stealing banking credentials. However, despite the effort put forth by the gang Cofense researchers said the attacks can be stopped if the proper precautions, both human and technical, are in place.
The current campaign is sending emails only in Portuguese pretending to be either an invoice, show ticket or civil lawsuit. In each case the body of the email is socially engineered to convince the recipient to open and then download the attached .htm file.
The latter downloads help with avoiding AV, white listing and URL filtering security functions.
The malware then uses a technique called process hollowing where it takes previously downloaded code and injects it into several legitimate programs, the most important of which is unins000.exe that is associated with the Brazilian banking system.
Astaroth then uses the normally trustworthy sites Youtube and Facebook profiles to host and maintain the C2 configuration data.
“ The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down,” Cofense wrote.
At this point the information stealer goes to work and gathers financial data, stored passwords in the browser, email client credentials and SSH credentials.
“Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures,” Cofense concluded.