Astaroth

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. [1][2][3]

ID: S0373
Associated Software: Guildma
Type: MALWARE
Platforms: Windows
Contributors: Carlos Borges, @huntingneo, CIP
Version: 2.0
Created: 17 April 2019
Last Modified: 08 December 2020

Associated Software Descriptions

Name Description
Guildma

[3]

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Astaroth creates a startup item for persistence. [2]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Astaroth's initial payload is a malicious .LNK file. [2][1]

Enterprise T1115 Clipboard Data

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Astaroth spawns a CMD process to execute commands. [1]

.005 Command and Scripting Interpreter: Visual Basic

Astaroth has used malicious VBS e-mail attachments for execution.[3]

.007 Command and Scripting Interpreter: JavaScript

Astaroth uses JavaScript to perform its core functionalities. [2][3]

Enterprise T1555 Credentials from Password Stores

Astaroth uses an external software known as NetPass to recover passwords. [1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Astaroth encodes data using Base64 before sending it to the C2 server. [2]

Enterprise T1074 .001 Data Staged: Local Data Staging

Astaroth collects data in a plaintext file named r1.log before exfiltration. [2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [1][3]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

Astaroth has used a DGA in C2 communications.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. [1]

.004 Hide Artifacts: NTFS File Attributes

Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.[3]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Astaroth can launch itself via DLL Search Order Hijacking.[3]

Enterprise T1105 Ingress Tool Transfer

Astaroth uses certutil and BITSAdmin to download additional malware. [2][1][3]

Enterprise T1056 .001 Input Capture: Keylogging

Astaroth logs keystrokes from the victim's machine. [2]

Enterprise T1027 Obfuscated Files or Information

Astaroth obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys.[1][3]

.002 Software Packing

Astaroth uses a software packer called Pe123\RPolyCryptor.[1]

Enterprise T1598 .002 Phishing for Information: Spearphishing Attachment

Astaroth has been delivered via malicious e-mail attachments.[3]

Enterprise T1057 Process Discovery

Astaroth searches for different processes on the system.[1]

Enterprise T1055 .012 Process Injection: Process Hollowing

Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.[1][3]

Enterprise T1129 Shared Modules

Astaroth uses the LoadLibraryExW() function to load additional modules. [1]

Enterprise T1218 .001 Signed Binary Proxy Execution: Compiled HTML File

Astaroth uses ActiveX objects for file execution and manipulation. [2]

.010 Signed Binary Proxy Execution: Regsvr32

Astaroth can be loaded through regsvr32.exe.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [2]

Enterprise T1082 System Information Discovery

Astaroth collects the machine name and keyboard language from the system. [2][1]

Enterprise T1016 System Network Configuration Discovery

Astaroth collects the external IP address from the system. [2]

Enterprise T1124 System Time Discovery

Astaroth collects the timestamp from the infected machine. [2]

Enterprise T1552 Unsecured Credentials

Astaroth uses an external software known as NetPass to recover passwords. [1]

Enterprise T1204 .002 User Execution: Malicious File

Astaroth has used malicious files including VBS, LNK, and HTML for execution.[3]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.[3]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.[3]

Enterprise T1047 Windows Management Instrumentation

Astaroth uses WMIC to execute payloads. [2]

Enterprise T1220 XSL Script Processing

Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. [1]

References