Astaroth

Astaroth, a notorious information-stealing banking trojan, has continued to evolve and remains a significant threat. Known for its sophisticated evasive skills, Astaroth is typically spread through spear phishing emails, such as the one identified by a threat hunter on Twitter. Once it infects a system, it targets specific processes, like Avast's aswrundll.exe. The malware also uses an external feature, NetPass, to enhance its data theft capabilities. If the JavaScript command is successfully executed, Astaroth's command and control (C&C) server gains a foothold on the endpoint. Indicators of compromise (IoCs) suggest that the second-level domain (SDL) of the URLs used by Astaroth have a similar structure and possibly use the same C&C servers. The latest version of the Astaroth Trojan campaign presents unique aspects compared to previous iterations. Unlike earlier versions which utilized cerutil to download files, the current campaign employs a new defense evasion technique. This technique is used in a later stage of the Astaroth infection chain, indicating potential collaboration between operators of different malware families or a single threat actor managing both. This intrusion set is tracked as "Water Makara," which further demonstrates Astaroth's continuous evolution. Despite Astaroth's reemergence and continued development, it is anticipated to persist into 2024. The malware's ability to adapt and evade detection highlights its ongoing threat to cybersecurity. The fact that it specifically targets certain antivirus processes, such as those of Avast, underscores its advanced capabilities and the need for robust cybersecurity measures. As Astaroth continues to evolve, it's crucial for organizations and individuals to remain vigilant and adopt comprehensive security strategies to protect against this persistent threat.