Astaroth malware (Fileless Malware)

Name	Astaroth malware
Additional Names	Guildma
Type of Malware	Fileless Malware, Info Stealing Malware
Date of Initial Activity	2017
Motivation	Information targeted includes financial data, sensitive browser data (passwords/credentials), SSH, and email credentials. Upon retrieval, the information encrypted, then exfiltrated via an HTTPS POST to the attacker’s C2 server.
Attack Vectors	Email
Targeted System	Android

Overview

Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques.

Targets

Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.

Tools/ Techniques Used

The main vector used by the group is sending malicious files in compressed format, attached to email. File types vary from VBS to LNK; the most recent campaign started to attach an HTML file which executes JavaScript for downloading a malicious file and using Alternate Data Stream (ADS).

Impact / Significant Attacks

Astaroth Trojan malware has resurfaced in South America, with more than 8,000 machines attacked in just one week.

References

1. Astaroth
2. Astaroth: Banking Trojan
3. Latest Astaroth living-off-the-land attacks are even more invisible but not less observable