A new Astaroth banking trojan campaign has been discovered abusing GitHub to host malware configurations. The infection begins with a phishing email containing a link to download a zipped Windows shortcut file, which installs the Astaroth malware. The trojan detects when users access banking or cryptocurrency websites and steals credentials through keylogging. It sends stolen information to attackers using Ngrok reverse proxy and uses GitHub to update its configuration when command and control servers become inaccessible. The malware primarily targets South American countries, with a focus on Brazil. Astaroth employs various anti-analysis techniques and targets specific banking and cryptocurrency-related sites. The GitHub repositories hosting the malicious configurations have been reported and taken down. Author: AlienVault
Related Tags:
Uruguay
south america
Paraguay
Panama
T1102.002
keylogging
T1059.005
banking trojan
astaroth
Associated Indicators:
34207FBFFCB38ED51CD469D082C0C518B696BAC4EB61E5B191A141B5459669DF
A235D2E44EA87E5764C66247E80A1C518C38A7395291CE7037F877A968C7B42B
28515EA1ED7BEFB39F428F046BA034D92D44A075CC7A6F252D6FAF681BDBA39C
DB9D00F30E7DF4D0CF10CEE8C49EE59A6B2E518107FD6504475E99BBCF6CCE34
5AD81F7AB998C8574A925853D9BE5A55FE89D86E
BD730172327741BDB04170A56D819A8094548D98
5FCCE6C94043F57C0A396FFDCE4F316F5E1B67CF
DD6AC13E0847D558D515B3578FE9432C850FCCDA
6B50695795ADA6C00AEAD68D9090C739