Astaroth
Astaroth is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .009 | Boot or Logon Autostart Execution: Shortcut Modification | |
| .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | |||
| Enterprise | T1115 | Clipboard Data |
Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. [1] |
|
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript/JScript |
Astaroth uses JavaScript to perform its core functionalities. [2] |
| .003 | Command and Scripting Interpreter: Windows Command Shell | |||
| Enterprise | T1555 | Credentials from Password Stores |
Astaroth uses an external software known as NetPass to recover passwords. [1] |
|
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Astaroth encodes data using Base64 before sending it to the C2 server. [2] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Astaroth collects data in a plaintext file named r1.log before exfiltration. [2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [1] |
|
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [1] |
|
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Astaroth loads its module with the XSL script parameter |
| Enterprise | T1105 | Ingress Tool Transfer |
Astaroth uses certutil and BITSAdmin to download additional malware. [2][1] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1027 | Obfuscated Files or Information | ||
| .002 | Software Packing |
Astaroth uses a software packer called Pe123\RPolyCryptor.[1] |
||
| Enterprise | T1057 | Process Discovery |
Astaroth searches for different processes on the system. [1] |
|
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Astaroth searches for unins000.exe (GAS Tecnologia software), |
| Enterprise | T1129 | Shared Modules |
Astaroth uses the LoadLibraryExW() function to load additional modules. [1] |
|
| Enterprise | T1218 | .001 | Signed Binary Proxy Execution: Compiled HTML File |
Astaroth uses ActiveX objects for file execution and manipulation. [2] |
| .010 | Signed Binary Proxy Execution: Regsvr32 | |||
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Astaroth checks for the presence of Avast antivirus in the |
| Enterprise | T1082 | System Information Discovery |
Astaroth collects the machine name and keyboard language from the system. [2][1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Astaroth collects the external IP address from the system. [2] |
|
| Enterprise | T1124 | System Time Discovery |
Astaroth collects the timestamp from the infected machine. [2] |
|
| Enterprise | T1552 | Unsecured Credentials |
Astaroth uses an external software known as NetPass to recover passwords. [1] |
|
| Enterprise | T1047 | Windows Management Instrumentation | ||
| Enterprise | T1220 | XSL Script Processing |
Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. [1] |
|