Astaroth

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Astaroth, a malicious software (malware), has been identified as a significant threat due to its highly developed evasive skills and information stealing capabilities. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. The Astaroth Trojan campaign specifically targets Avast's aswrundll.exe process and uses an external feature, NetPass, for additional information theft. In previous versions of this campaign, cerutil was used to download files, indicating a possible evolution in the malware's methodology. Cybersecurity researchers have issued warnings about a surge in email phishing campaigns using Google Cloud Run service to deliver banking trojans like Astaroth, Mekotio, and Ousaban. These attacks have targeted victims across Latin America and Europe since September 2023. More than 300 financial organizations have already fallen victim to the Astaroth trojan, also known as Guildma. Notably, Mekotio, delivered in the later stages of Astaroth attacks, permits browser manipulation and theft of banking credentials and personal data. The misuse of Google Cloud Run in these high-volume malware distribution campaigns is particularly concerning. The latest variant of Astaroth has targeted over 300 institutions across 15 Latin American countries, making it one of the most widespread malware campaigns in recent history. Some of the highest volume campaigns were observed delivering Astaroth, Mekotio, and Ousaban banking trojans, primarily to victims located in Latin America. The scale and sophistication of these attacks underscore the evolving threat landscape and the need for increased vigilance in cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Exploit
Evasive
Google
Phishing
Cisco
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OusabanUnspecified
2
Ousaban is a malicious software, or malware, specifically a banking trojan developed primarily in Delphi. This harmful program is designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, Ousaban
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Astaroth Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data
MITRE
a year ago
Seeing a Resurgence of Demonic Astaroth WMIC Trojan | Cofense
CERT-EU
3 months ago
Hackers abuse Google Cloud Run in massive banking trojan campaign
Unit42
5 months ago
From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence
CERT-EU
3 months ago
Google Cloud Run Abused in Massive Banking Trojan Operation
CERT-EU
3 months ago
High-volume malware campaigns involve Google Cloud Run exploitation
CERT-EU
3 months ago
TikTok’s latest actions to combat misinformation shows it’s not just a U.S. problem
DARKReading
3 months ago
Google's Cloud Run Service Spreads Several Bank Trojans
CERT-EU
a year ago
InfoSec Handlers Diary Blog - SANS Internet Storm Center
CERT-EU
3 months ago
Banking Trojans Target Latin America and Europe Through Google Cloud Run