by Harshil Patel and Prabudh Chakravorty
*EDITOR’S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub repositories mentioned in the following research have been reported to GitHub and taken down.
Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient.
McAfee’s Threat Research team recently uncovered a new Astaroth campaign that’s taken infrastructure abuse to a new level. Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running. Think of it like a criminal who keeps backup keys to your house hidden around the neighborhood. Even if you change your locks, they’ve got another way in.
Key Findings
McAfee recently discovered a new Astaroth campaign abusing GitHub to host malware configurations.
Infection begins with a phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file. When executed, it installs Astaroth malware on the system.
Astaroth detects when users access a banking/cryptocurrency website and steals the credentials using keylogging.
It sends the stolen information to the attacker using the Ngrok reverse proxy.
Astaroth uses GitHub to update its configuration when the C2 servers become inaccessible, by hosting images on GitHub which uses steganography to hide this information in plain sight.
The GitHub repositories were reported to GitHub and are taken down.
Key Takeaways
Don’t open attachments and links in emails from unknown sources.
Use 2 factor authentication (2FA) on banking websites where possible.
Keep your antivirus up to date.
Geographical Prevalence
Astaroth is capable of targeting many South American countries like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It can also target Portugal and Italy.
But in the recent campaign, it seems to be largely focused on Brazil.
Figure 1: Geographical Prevalence
Conclusion
Astaroth is a password-stealing malware family that targets South America. The malware leverages GitHub to host configuration files, treating the platform as resilient backup infrastructure when primary C2 servers become inaccessible. McAfee reported the findings to GitHub and worked with their security research team to remove the malicious repositories, temporarily disrupting operations.
Technical Analysis
Figure 2 : Infection chain
Phishing Email
The attack starts with an e-mail to the victim which contains a link to a site that downloads a zip file. Emails with themes such as DocuSign and resumes are used to lure the victims into downloading a zip file.
Figure 3: Phishing Email
Figure 4: Phishing Email
Figure 5: Phishing Email
JavaScript Downloader
The downloaded zip file contains a LNK file, which has obfuscated javascript command run using mshta.exe.
This command simply fetches more javascript code from the following URL:
To impede analysis, all the links are geo-restricted, such that they can only be accessed from the targeted geography.
The downloaded javascript then downloads a set of files in ProgramData from a randomly selected server:
Figure 6: Downloaded Files
Here,
”Corsair.Yoga.06342.8476.366.log” is AutoIT compiled script, “Corsair.Yoga.06342.8476.366.exe” is AutoIT interpreter,
“stack.tmp” is an encrypted payload (Astaroth),
and “dump.log” is an encrypted malware configuration.
AutoIt script is executed by javascript, which builds and loads a shellcode in the memory of AutoIT process.
Shellcode Analysis
Figure 7: AutoIt script building shellcode
The shellcode has 3 entrypoints and $LOADOFFSET is the one using which it loads a DLL in memory.
To run the shellcode the script hooks Kernel32: LocalCompact, and makes it jump to the entrypoint.
Figure 8: Hooking LocalCompact API
Shellcode’s $LOADOFFSET starts by resolving a set of APIs that are used for loading a DLL in memory. The API addresses are stored in a jump table at the very beginning of the shellcode memory.
Figure 9: APIs resolved by shellcode
Here shellcode is made to load a DLL file(Delphi) and this DLL decrypts and injects the final payload into newly created RegSvc.exe process.
Payload Analysis
The payload, Astaroth malware is written in Delphi and uses various anti-analysis techniques and shuts down the system if it detects that it is being analyzed.
It checks for the following tools in the system:
Figure 10: List of analysis tools
It also makes sure that system locale is not related to the United States or English.
Every second it checks for program windows like browsers, if that window is in foreground and has a banking related site opened then it hooks keyboard events to get keystrokes.
Figure 11: Hooking keyboard events
Programs are targeted if they have a window class name containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.
Many banking-related sites are targeted, some of which are mentioned below:
caixa.gov.br
safra.com.br
Itau.com.br
bancooriginal.com.br
santandernet.com.br
btgpactual.com
We also observed some cryptocurrency-related sites being targeted:
etherscan.io
binance.com
bitcointrade.com.br
metamask.io
foxbit.com.br
localbitcoins.com
C2 Communication & Infrastructure
The stolen banking credentials and other information are sent to C2 server using a custom binary protocol.
Figure 12: C2 communication
Astaroth’s C2 infrastructure and malware configuration are depicted below.
Figure 13: C2 infrastructure
Malware config is stored in dump.log encrypted, following is the information stored in it:
Figure 14: Malware configuration
Every 2 hours the configuration is updated by fetching an image file from config update URLs and extracting the hidden configuration from the image.
hxxps://bit[.]ly/4gf4E7H —> hxxps://raw.githubusercontent[.]com//dridex2024//razeronline//refs/heads/main/razerlimpa[.]png
Image file keeps the configuration hidden by storing it in the following format:
We found more such GitHub repositories having image files with above pattern and reported them to GitHub, which they have taken down.
Persistence Mechanism
For persistence, Astaroth drops a LNK file in startup folder which runs the AutoIT script to launch the malware when the system starts.
McAfee Coverage
McAfee has extensive coverage for Astaroth:
Trojan:Shortcut/SuspiciousLNK.OSRT
Trojan:Shortcut/Astaroth.OJS
Trojan:Script/Astaroth.DL
Trojan:Script/Astaroth.AI
Trojan:Script/AutoITLoader.LC!2
Trojan:Shortcut/Astaroth.STUP
Indicator Of Compromise(s)
IOC
Hash / URL
Email
7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70
7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be
11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945
ZIP URL
https://91.220.167.72.host.secureserver[.]net/peHg4yDUYgzNeAvm5.zip
LNK
34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df
JS Downloader
28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c
Download server
clafenval.medicarium[.]help
sprudiz.medicinatramp[.]click
frecil.medicinatramp[.]beauty
stroal.medicoassocidos[.]beauty
strosonvaz.medicoassocidos[.]help
gluminal188.trovaodoceara[.]sbs
scrivinlinfer.medicinatramp[.]icu
trisinsil.medicesterium[.]help
brusar.trovaodoceara[.]autos
gramgunvel.medicoassocidos[.]beauty
blojannindor0.trovaodoceara[.]motorcycles
AutoIT compiled script
a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b
Injector dll
db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34
payload
251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195
Startup LNK
049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43
C2 server
1.tcp.sa.ngrok[.]io:20262
1.tcp.us-cal-1.ngrok[.]io:24521
5.tcp.ngrok[.]io:22934
7.tcp.ngrok[.]io:22426
9.tcp.ngrok[.]io:23955
9.tcp.ngrok[.]io:24080
Config update URL
https://bit[.]ly/49mKne9
https://bit[.]ly/4gf4E7H https://raw.githubusercontent[.]com/dridex2024/razeronline/refs/heads/main/razerlimpa.png
GitHub Repositories hosting config images
https://github[.]com/dridex2024/razeronline
https://github[.]com/Config2023/01atk-83567z
https://github[.]com/S20x/m25
https://github[.]com/Tami1010/base
https://github[.]com/balancinho1/balaco
https://github[.]com/fernandolopes201/675878fvfsv2231im2
https://github[.]com/polarbearfish/fishbom
https://github[.]com/polarbearultra/amendointorrado
https://github[.]com/projetonovo52/master
https://github[.]com/vaicurintha/gol
The post Astaroth: Banking Trojan Abusing GitHub for Resilience appeared first on McAfee Blog.
