Wednesday, December 25, 2024
HomeMalwareHackers using Facebook and YouTube Profiles to Host Astaroth Malware C2 Server

Hackers using Facebook and YouTube Profiles to Host Astaroth Malware C2 Server

Published on

SIEM as a Service

Cybercriminals abusing Facebook and YouTube profiles to host the Astaroth malware that launches through sophisticated phishing campaign to target mainly Brazilian citizens.

Threat actors behind the Astaroth Trojan using a various trusted source to compromise and steal the sensitive the data from the victims.

Security research community motioning Astaroth Trojan activities since 2018 and the malware evade the various security protection by abusing the antivirus to intrude the targeted device.

- Advertisement - SIEM as a Service

Astaroth leverages the legitimate windows services to drop the payload, and the method will help to easily bypass the security protection.

Researchers from Cofense uncovered a phishing email campaign that temp users to open a .htm file which is the initial stage of start the infection.

Astaroth Malware Infection Process

Once the Victims opens the .htm file, it downloads a zip file that contains .LNK file which downloads JavaScript.

Soon after Javascript code download multiple files that execute the Astaroth information stealer.

Researchers discovered a two .DLL files that associated with the legitimate program ( ‘C:\Program Files\Internet Explorer\ExtExport.exe’.) to run malicious code from trusted sources.

According to Cofense report ” The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe. The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil. After the program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the Command and Control (C2) configuration data from outside trusted sources. “

In order to maintain the C2 configuration data, threat actors using the Facebook and YouTube profiles description with base64 encoded and custom encrypted.

Threat actors cleverly hosting the C2 data within these trusted sources to bypass the network security, and gather the victim’s information to collect the sensitive information such as stored passwords in the browser, email client credentials, SSH credentials, and more.

After the malware collects all the data, it bundles and encrypts sent via HTTPS POST to a site from the C2 list.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...