Astaroth grows more powerful, using YouTube channels for C2

Vlad Turiceanu
by Vlad Turiceanu
Passionate about technology, Windows, and everything that has a power button, he spent most of his time developing new skills and learning more about the tech world. Coming from a solid background in PC... Read more
Affiliate Disclosure
  • Astaroth still relies on email campaigns for distribution and it has a fileless execution, but it also gained three new major updates.
  • One of them is the new use of YouTube channels for C2 which helps evade detection, by leveraging a commonly used service on commonly used ports.
  • It's the most important moment to be preoccupied with the security of your computer. Head over to our Cybersecurity section to learn more.
  • The digital and tech world is moving faster than ever. Read the latest stories in our News Hub
Astaroth malware attacks

Astaroth, trojan specialized in stealing sensitive information was discovered last year and until now, it has evolved into a top stealthy malware, diversifying its protection against checks to prevent security researchers from detecting and stopping it.

Last year, Microsoft announced the discovery of many ongoing malware campaigns by the Windows Defender ATP team. These campaigns distributed the Astaroth malware in a fileless manner, which makes it even more dangerous.

Speaking of malware campaigns, you can nip them in the bud with these antimalware tools.

Here’s how a Microsoft Defender ATP researcher described the attacks:

I was doing a standard review of telemetry when I noticed an anomaly from a detection algorithm designed to catch a specific fileless technique. Telemetry showed a sharp increase in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script (a technique that MITRE refers to XSL Script Processing), indicating a fileless attack

What is Astaroth up to now?

In a new report, Cisco Talos says that Astaroth still relies on email campaigns for distribution, it has a fileless execution, and it’s living off the land (LOLbins). The bad news is that it also gained three new major updates cited from the Cisco Talos report:

  • Astaroth implements a robust series of anti-analysis/evasion techniques, among the most thorough we’ve seen recently.
  • Astaroth is effective at evading detection and ensuring, with reasonable certainty, that it is only being installed on systems in Brazil and not on sandboxes and researchers systems.
  • Novel use of YouTube channels for C2 helps evade detection, by leveraging a commonly used service on commonly used ports.

What is Astaroth and how it works?

If you didn’t know, Astaroth is a well-known malware focused on stealing sensitive information like credentials and other personal data and sending it back to the attacker.

Although many Windows 10 users have an anti-malware or antivirus software, the fileless technique makes the malware harder to detect. Here’s the OPs scheme on how the attack works: astaroth malware attack

A very interesting thing is that no files, except system tools, are involved in the attack process. This technique is called living off the land and it’s usually used to easily backdoor traditional antivirus solutions.

How can I protect my system against this attack?

First of all, make sure that your Windows 10 is up to date. Also, make sure that your Windows Defender Firewall is up and running and has the latest definition updates.

Don’t expose yourself to unnecessary risks. Find out why Windows Defender is the only malware barrier you need!

If you’re a Office 365 user, you’ll be happy to know that:

For this Astaroth campaign,Office 365Advanced Threat Protection (Office 365ATP) detects the emails with malicious links that start the infection chain.

Luckily, Astaroth targets mainly Brazil, and the e-mails you would be receiving are in Portughese. However, be on your toes about it.

As always, for more suggestions or questions, reach for the comments section below.

This article covers:Topics: