As if the difficult moment we are currently experiencing is not enough, the
digital landscape also brings new virtual threats, full of
malware families that are constantly bombarding companies and individuals in Brazil.
Most of these threats have one thing in common: money. Many of these scams
generate revenue for online criminals who are financially motivated by
gaining access to data stored on systems that can be monetized in a
variety of ways. To maximize profits, some malware authors and / or
malware distributors go to extreme lengths to avoid detection,
specifically to avoid automated scanning environments and
malware that may be debugging them. The malware campaign, Astaroth, is an
example of every theory about types and techniques of evasion applied in practice.
Those responsible for these malware campaigns were so concerned about
evasion that they included not just one or two anti-analysis scans, but
dozens of scans, including those rarely seen on most
commodity malware. This type of campaign highlights the level of sophistication
that some financially motivated cybercriminals have achieved in recent
years. This campaign is exclusively aimed at Brazil, and has attacks
designed specifically for Brazilian citizens, including the
COVID-19 status and the Individual Taxpayer Registry (CPF).
In addition, the "Dropper" program used to download the main content uses
sophisticated techniques and many layers of obfuscation and evasion before even
delivering the final malicious content. There are another series of checks, once
the cargo is delivered, to ensure that the file will be executed on systems
located in Brazil and not on a researcher or some other security system
like Sandboxing. In addition, this malware uses new techniques for
command and control updates via YouTube, and a plethora of other techniques and
methods, both new and old.
This analysis will provide in-depth research of the
Astaroth family of malware and will detail a series of campaigns that the Talos team has observed over the
past nine to 12 months. This will include a detailed step-by-step attack
from the initial spam message, to the Dropper mechanisms, and finally the
evasion techniques that Astaroth has implemented. This malware is as elusive as
possible and will likely remain a headache for both users
and defenders in the future. In addition, this malware family
is being updated and modified at an alarming rate, implying that its
development is still being actively improved. These opponents also
they are moving fast, swapping almost weekly for new blows
to stay nimble and ahead of defenders.
These financially motivated threats continue to grow in sophistication,
as cybercriminals are finding more ways to generate large
sums of money and profits. Astaroth is just one more example of this and
evasion / anti-analysis will be paramount to the success of malware families in the
Organizations need to have multiple layers of technology and controls
to minimize the possible negative impacts of these threats. For this it
is important to assign security technologies that cover Endpoint, Domains,
DNS, web and network.
To succeed in their duties, an IT Service Technician needs to have practical knowledge to enable them in tackling any challenge before them. Sometimes, they may be required to provide remote or on-site support, installation and software upgrade as well as operational documentation.