Oct 13, 2025Ravie LakshmananMalware / Monetary Safety
Cybersecurity researchers are calling consideration to a brand new marketing campaign that delivers the Astaroth banking trojan that employs GitHub as a spine for its operations to remain resilient within the face of infrastructure takedowns.
“As a substitute of relying solely on conventional command-and-control (C2) servers that may be taken down, these attackers are leveraging GitHub repositories to host malware configurations,” McAfee Labs researchers Harshil Patel and Prabudh Chakravorty stated in a report.
“When regulation enforcement or safety researchers shut down their C2 infrastructure, Astaroth merely pulls recent configurations from GitHub and retains working.”
The exercise, per the cybersecurity firm, is primarily targeted on Brazil, though the banking malware is understood to focus on varied international locations in Latin America, together with Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama.
This isn’t the primary time Astaroth campaigns have educated their sights on Brazil. In July and October 2024, each Google and Pattern Micro warned of risk clusters dubbed PINEAPPLE and Water Makara that used phishing emails to distribute the malware.
The newest assault chain isn’t any totally different in that it additionally begins with a DocuSign-themed phishing e-mail containing a hyperlink that downloads a zipped Home windows shortcut (.lnk) file, which, when opened, installs Astaroth on the compromised host.
The LNK file incorporates obfuscated JavaScript that is answerable for fetching further JavaScript from an exterior server. The newly fetched JavaScript code, for its half, downloads quite a few recordsdata from one of many randomly chosen hard-coded servers.
This consists of an AutoIt script that is executed by the JavaScript payload, following which it hundreds and runs shellcode, which, in flip, hundreds a Delphi-based DLL to decrypt and inject the Astaroth malware right into a newly created RegSvc.exe course of.
Astaroth is a Delphi malware designed to watch victims’ visits to banking or cryptocurrency web sites and steal their credentials utilizing keylogging. The captured data is transmitted to the attackers utilizing the Ngrok reverse proxy.
It accomplishes this by checking the energetic browser program window each second and whether or not it has a banking-related web site opened. If these situations are met, the malware hooks keyboard occasions to document keystrokes. A few of the focused web sites are listed under –
caixa.gov[.]br
safra.com[.]br
itau.com[.]br
bancooriginal.com[.]br
santandernet.com[.]br
btgpactual[.]com
etherscan[.]io
binance[.]com
bitcointrade.com[.]br
metamask[.]io
foxbit.com[.]br
localbitcoins[.]com
Astaroth additionally comes fitted with capabilities to withstand evaluation and shuts down routinely if it detects emulator, debugger, and evaluation instruments like QEMU Visitor Agent, HookExplorer, IDA Professional, ImmunityDebugger, PE Instruments, WinDbg, and Wireshark, amongst others.
Persistence on the host is about up by dropping an LNK file within the Home windows Startup folder that runs the AutoIT script to launch the malware routinely upon a system reboot. What’s extra, not solely is the preliminary URL accessed by the JavaScript throughout the LNK file geofenced, the malware additionally makes positive that the machine’s system locale is just not set to English or the U.S.
“Astaroth makes use of GitHub to replace its configuration when the C2 servers turn out to be inaccessible, by internet hosting photographs on GitHub, which makes use of steganography to cover this data in plain sight,” McAfee stated.
In doing so, the malware leverages a official platform to host configuration recordsdata and switch it right into a resilient backup infrastructure when major C2 servers turn out to be inaccessible. The corporate famous that it labored with the Microsoft-owned subsidiary to take away the GitHub repositories, quickly neutralizing the operations.
