Thursday, July 18, 2024

Hackers using Facebook and YouTube Profiles to Host Astaroth Malware C2 Server

Cybercriminals abusing Facebook and YouTube profiles to host the Astaroth malware that launches through sophisticated phishing campaign to target mainly Brazilian citizens.

Threat actors behind the Astaroth Trojan using a various trusted source to compromise and steal the sensitive the data from the victims.

Security research community motioning Astaroth Trojan activities since 2018 and the malware evade the various security protection by abusing the antivirus to intrude the targeted device.

Astaroth leverages the legitimate windows services to drop the payload, and the method will help to easily bypass the security protection.

Researchers from Cofense uncovered a phishing email campaign that temp users to open a .htm file which is the initial stage of start the infection.

Astaroth Malware Infection Process

Once the Victims opens the .htm file, it downloads a zip file that contains .LNK file which downloads JavaScript.

Soon after Javascript code download multiple files that execute the Astaroth information stealer.

Researchers discovered a two .DLL files that associated with the legitimate program ( ‘C:\Program Files\Internet Explorer\ExtExport.exe’.) to run malicious code from trusted sources.

According to Cofense report ” The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe. The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil. After the program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the Command and Control (C2) configuration data from outside trusted sources. “

In order to maintain the C2 configuration data, threat actors using the Facebook and YouTube profiles description with base64 encoded and custom encrypted.

Threat actors cleverly hosting the C2 data within these trusted sources to bypass the network security, and gather the victim’s information to collect the sensitive information such as stored passwords in the browser, email client credentials, SSH credentials, and more.

After the malware collects all the data, it bundles and encrypts sent via HTTPS POST to a site from the C2 list.


Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles