| Name | Astaroth malware |
| Additional Names | Guildma |
| Type of Malware | Fileless Malware, Info Stealing Malware |
| Date of Initial Activity | 2017 |
| Motivation | Information targeted includes financial data, sensitive browser data (passwords/credentials), SSH, and email credentials. Upon retrieval, the information encrypted, then exfiltrated via an HTTPS POST to the attacker’s C2 server. |
| Attack Vectors | |
| Targeted System | Android |
Overview
Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques.
Targets
Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.
Tools/ Techniques Used
The main vector used by the group is sending malicious files in compressed format, attached to email. File types vary from VBS to LNK; the most recent campaign started to attach an HTML file which executes JavaScript for downloading a malicious file and using Alternate Data Stream (ADS).
Impact / Significant Attacks
Astaroth Trojan malware has resurfaced in South America, with more than 8,000 machines attacked in just one week.
