1 min read

Astaroth Trojan Resurfaces, Targets Brazil through Fileless Campaign

Liviu ARSENE

July 09, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Astaroth Trojan Resurfaces, Targets Brazil through Fileless Campaign

During routine detection monitoring from our Advanced Threat Defense technology, Bitdefender researchers found an interesting spike in malware activity that involved using Microsoft binaries in the infection process, as well as GitHub and Google Drive for delivering payloads. After analyzing the detection details, we identified this activity as a resurgence of the Astaroth spyware, a Trojan and information stealer known since late 2017.

What sets this Astaroth campaign apart is the use of native Microsoft tools – commonly known as “living off the land” – to avoid detection by traditional security solutions, as well as the fact that it specifically targets Brazil by checking for a Brazilian location and a Portuguese-language keyboard before activating. Bitdefender telemetry shows that 92.61 percent of users targeted by this May 2019 Astaroth campaign are in Brazil.

Astaroth logs keystrokes only when a victim uses Internet Explorer (IE) and browses to specific Brazilian banks or businesses, and will even terminate Chrome or Firefox executables to make sure the victim uses IE. Our investigation also revealed that threat actors seem to use multiple versions of the same malware and host them on multiple websites.

Key Findings:

  • Astaroth distribution via legitimate online services (GitHub, Google Drive)
  • Campaign specifically targets Brazilian users (92.61 percent) by checking for a Brazilian locale and a Portuguese-language keyboard before activating
  • Uses fileless techniques and native Microsoft tools to hide from traditional security solutions
  • Threat actors use multiple version of the same malware, each hosted on a large number of websites
  • Logs keystrokes only on Internet Explorer and browses to specific Brazilian banks or business

For a more detailed technical analysis, please check out the technical paper below:

Download the whitepaper

tags


Author



Right now

Top posts

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

December 06, 2022

1 min read
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

October 05, 2022

1 min read
A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

EyeSpy - Iranian Spyware Delivered in VPN Installers EyeSpy - Iranian Spyware Delivered in VPN Installers
Janos Gergo SZELESBogdan BOTEZATU
2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Bitdefender

January 05, 2023

1 min read
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
Adrian SCHIPORVictor VRABIE
1 min read