Threat Spotlight: Astaroth – Maze of Obfuscation and Evasion Reveals Darkish Stealer
By Nick Biasini, Edmund Brumaghin and Nick Lister.
Executive summary
The threat scenery is full of various malware families being delivered in a continuing wave to enterprises and people alike. Nearly all these threats have a very important factor in keeping: money. Several threats generate income for financially inspired adversaries by granting usage of data stored at a time systems which can be monetized in a variety of ways. To maximize income, some malware authors and/or malware distributors head to severe lengths to evade recognition, specifically in order to avoid automated analysis malware and conditions analysts which may be debugging them. Today certainly are a textbook example of these kinds of evasion techniques used the Astaroth campaigns we have been detailing.
The threat actors behind these campaigns were so worried about evasion they didn’t include a couple of anti-analysis checks just, but a large number of checks, including those observed in most commodity malware rarely. This sort of campaign highlights the amount of sophistication that some financially motivated actors have achieved before few years. This campaign targeted Brazil, and featured lures made to tailor to Brazilian citizens specifically, including Cadastro and COVID-19 de Pessoas Físicas status. Beyond that, the dropper used sophisticated techniques and several layers of evasion and obfuscation before even delivering the ultimate malicious payload. There’s another group of checks after the payload is sent to ensure, with reasonable certainty, that the payload was only executed on systems situated in Brazil rather than that of a researcher or various other little bit of security technology, most sandboxes notably. Beyond that, this malware uses novel approaches for control and command updates via YouTube, and various other methods and techniques, both old and new.
This blog provides our deep analysis of the Astaroth malware detail and family some campaigns we’ve observed within the last nine to 12 a few months. This will add a comprehensive walkthrough of deobfuscating the strike from the original spam information, to the dropper mechanisms, also to all the evasion strategies astaroth offers implemented finally. The target is to give scientists the various tools and knowledge in order to analyze this within their own conditions. This malware is really as elusive since it gets and can likely continue being a headaches for both customers and defenders for the near future. This is particularly true if its targeting moves beyond South Brazil and America.