Skip to content

S0373 Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. 312

Item Value
ID S0373
Associated Names Guildma
Type MALWARE
Version 2.1
Created 17 April 2019
Last Modified 21 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Guildma 2

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Astaroth creates a startup item for persistence. 1
enterprise T1547.009 Shortcut Modification Astaroth‘s initial payload is a malicious .LNK file. 13
enterprise T1115 Clipboard Data Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. 3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Astaroth spawns a CMD process to execute commands. 3
enterprise T1059.005 Visual Basic Astaroth has used malicious VBS e-mail attachments for execution.2
enterprise T1059.007 JavaScript Astaroth uses JavaScript to perform its core functionalities. 12
enterprise T1555 Credentials from Password Stores Astaroth uses an external software known as NetPass to recover passwords. 3
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Astaroth encodes data using Base64 before sending it to the C2 server. 1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Astaroth collects data in a plaintext file named r1.log before exfiltration. 1
enterprise T1140 Deobfuscate/Decode Files or Information Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. 32
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Astaroth has used a DGA in C2 communications.3
enterprise T1041 Exfiltration Over C2 Channel Astaroth exfiltrates collected information from its r1.log file to the external C2 server. 3
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. 3
enterprise T1564.004 NTFS File Attributes Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Astaroth can launch itself via DLL Search Order Hijacking.2
enterprise T1105 Ingress Tool Transfer Astaroth uses certutil and BITSAdmin to download additional malware. 132
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Astaroth logs keystrokes from the victim’s machine. 1
enterprise T1027 Obfuscated Files or Information Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.2
enterprise T1027.002 Software Packing Astaroth uses a software packer called Pe123\RPolyCryptor.3
enterprise T1027.010 Command Obfuscation Astaroth has obfuscated and randomized parts of the JScript code it is initiating.3
enterprise T1598 Phishing for Information -
enterprise T1598.002 Spearphishing Attachment Astaroth has been delivered via malicious e-mail attachments.2
enterprise T1057 Process Discovery Astaroth searches for different processes on the system.3
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.32
enterprise T1129 Shared Modules Astaroth uses the LoadLibraryExW() function to load additional modules. 3
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. 1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.001 Compiled HTML File Astaroth uses ActiveX objects for file execution and manipulation. 1
enterprise T1218.010 Regsvr32 Astaroth can be loaded through regsvr32.exe.3
enterprise T1082 System Information Discovery Astaroth collects the machine name and keyboard language from the system. 13
enterprise T1016 System Network Configuration Discovery Astaroth collects the external IP address from the system. 1
enterprise T1124 System Time Discovery Astaroth collects the timestamp from the infected machine. 1
enterprise T1552 Unsecured Credentials Astaroth uses an external software known as NetPass to recover passwords. 3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Astaroth has used malicious files including VBS, LNK, and HTML for execution.2
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Astaroth can check for Windows product ID’s used by sandboxes and usernames and disk serial numbers associated with analyst environments.2
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.2
enterprise T1047 Windows Management Instrumentation Astaroth uses WMIC to execute payloads. 1
enterprise T1220 XSL Script Processing Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. 3

References