S0373 Astaroth
Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. 312
| Item | Value |
|---|---|
| ID | S0373 |
| Associated Names | Guildma |
| Type | MALWARE |
| Version | 2.1 |
| Created | 17 April 2019 |
| Last Modified | 21 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Guildma | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Astaroth creates a startup item for persistence. 1 |
| enterprise | T1547.009 | Shortcut Modification | Astaroth‘s initial payload is a malicious .LNK file. 13 |
| enterprise | T1115 | Clipboard Data | Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. 3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Astaroth spawns a CMD process to execute commands. 3 |
| enterprise | T1059.005 | Visual Basic | Astaroth has used malicious VBS e-mail attachments for execution.2 |
| enterprise | T1059.007 | JavaScript | Astaroth uses JavaScript to perform its core functionalities. 12 |
| enterprise | T1555 | Credentials from Password Stores | Astaroth uses an external software known as NetPass to recover passwords. 3 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Astaroth encodes data using Base64 before sending it to the C2 server. 1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Astaroth collects data in a plaintext file named r1.log before exfiltration. 1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. 32 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Astaroth has used a DGA in C2 communications.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Astaroth exfiltrates collected information from its r1.log file to the external C2 server. 3 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. 3 |
| enterprise | T1564.004 | NTFS File Attributes | Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | Astaroth can launch itself via DLL Search Order Hijacking.2 |
| enterprise | T1105 | Ingress Tool Transfer | Astaroth uses certutil and BITSAdmin to download additional malware. 132 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Astaroth logs keystrokes from the victim’s machine. 1 |
| enterprise | T1027 | Obfuscated Files or Information | Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.2 |
| enterprise | T1027.002 | Software Packing | Astaroth uses a software packer called Pe123\RPolyCryptor.3 |
| enterprise | T1027.010 | Command Obfuscation | Astaroth has obfuscated and randomized parts of the JScript code it is initiating.3 |
| enterprise | T1598 | Phishing for Information | - |
| enterprise | T1598.002 | Spearphishing Attachment | Astaroth has been delivered via malicious e-mail attachments.2 |
| enterprise | T1057 | Process Discovery | Astaroth searches for different processes on the system.3 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.32 |
| enterprise | T1129 | Shared Modules | Astaroth uses the LoadLibraryExW() function to load additional modules. 3 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. 1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.001 | Compiled HTML File | Astaroth uses ActiveX objects for file execution and manipulation. 1 |
| enterprise | T1218.010 | Regsvr32 | Astaroth can be loaded through regsvr32.exe.3 |
| enterprise | T1082 | System Information Discovery | Astaroth collects the machine name and keyboard language from the system. 13 |
| enterprise | T1016 | System Network Configuration Discovery | Astaroth collects the external IP address from the system. 1 |
| enterprise | T1124 | System Time Discovery | Astaroth collects the timestamp from the infected machine. 1 |
| enterprise | T1552 | Unsecured Credentials | Astaroth uses an external software known as NetPass to recover passwords. 3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Astaroth has used malicious files including VBS, LNK, and HTML for execution.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Astaroth can check for Windows product ID’s used by sandboxes and usernames and disk serial numbers associated with analyst environments.2 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.2 |
| enterprise | T1047 | Windows Management Instrumentation | Astaroth uses WMIC to execute payloads. 1 |
| enterprise | T1220 | XSL Script Processing | Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. 3 |
References
-
Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩