Cybersecurity researchers warned of a campaign delivering the Astaroth banking trojan that leverages GitHub repositories to maintain operations when traditional command-and-control servers are disrupted, McAfee Labs researchers Harshil Patel and Prabudh Chakravorty said.
According to the report, the activity is primarily focused on Brazil but also affects other Latin American countries, and it begins with a DocuSign-themed phishing email that delivers a zipped Windows shortcut (.lnk) file. The LNK contains obfuscated JavaScript that fetches additional JavaScript from external servers and downloads multiple files from randomly selected hard-coded servers.
McAfee’s analysis said those downloaded components include an AutoIt script that executes shellcode to load a Delphi-based DLL, which decrypts and injects the Astaroth malware into a newly created RegSvc.exe process. The Delphi malware monitors browser program windows for banking and cryptocurrency sites, records keystrokes and transmits captured credentials using an Ngrok reverse proxy.
The researchers listed targeted sites that include caixa.gov\[.\]br, safra.com\[.\]br, itau.com\[.\]br, bancooriginal.com\[.\]br, santandernet.com\[.\]br, btgpactual\[.\]com, etherscan\[.\]io, binance\[.\]com, bitcointrade.com\[.\]br, metamask\[.\]io, foxbit.com\[.\]br and localbitcoins\[.\]com.
McAfee said Astaroth includes anti-analysis checks and will shut down if it detects emulators, debuggers or analysis tools such as QEMU Guest Agent, HookExplorer, IDA Pro, Immunity Debugger, PE Tools, WinDbg or Wireshark. Persistence is established by dropping an LNK in the Windows Startup folder to run the AutoIt script on reboot, and the malware geofences its initial URL and avoids systems whose locale is set to English (U.S.), the report added.
McAfee said the campaign uses GitHub as a resilient backup by hosting images that carry configuration data via steganography, and that the company worked with the Microsoft-owned subsidiary to remove the repositories and temporarily neutralize the operations.