Astaroth: Banking Trojan Abusing GitHub for Resilience

by Harshil Patel and Prabudh Chakravorty

Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient.

McAfee’s Advanced Threat Research team recently uncovered a new Astaroth campaign that’s taken infrastructure abuse to a new level. Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running. Think of it like a criminal who keeps backup keys to your house hidden around the neighborhood. Even if you change your locks, they’ve got another way in.

Key Findings 

  • McAfee recently discovered a new Astaroth campaign abusing GitHub to host malware configurations. 
  • Infection begins with a phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file. When executed, it installs Astaroth malware on the system. 
  • Astaroth detects when users access a banking/cryptocurrency website and steals the credentials using keylogging.  
  • It sends the stolen information to the attacker using the Ngrok reverse proxy. 
  • Astaroth uses GitHub to update its configuration when the C2 servers become inaccessible, by hosting images on GitHub which uses steganography to hide this information in plain sight. 
  • The GitHub repositories were reported to GitHub and are taken down. 

Key Takeaways  

  • Don’t open attachments and links in emails from unknown sources. 
  • Use 2 factor authentication (2FA) on banking websites where possible. 
  • Keep your antivirus up to date. 

Geographical Prevalence 

Astaroth is capable of targeting many South American countries like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It can also target Portugal and Italy. 

But in the recent campaign, it seems to be largely focused on Brazil. 

Figure 1: Geographical Prevalence 

 

Conclusion 

Astaroth is a password-stealing malware family that targets South America. The malware leverages GitHub to host configuration files, treating the platform as resilient backup infrastructure when primary C2 servers become inaccessible. McAfee reported the findings to GitHub and worked with their security research team to remove the malicious repositories, temporarily disrupting operations. 

 

Technical Analysis 

Figure 2 : Infection chain 

 

Phishing Email 

The attack starts with an e-mail to the victim which contains a link to a site that downloads a zip file. Emails with themes such as DocuSign and resumes are used to lure the victims into downloading a zip file. 

Figure 3: Phishing Email

Figure 4: Phishing Email

Figure 5: Phishing Email

 

JavaScript Downloader 

The downloaded zip file contains a LNK file, which has obfuscated javascript command run using mshta.exe. 

 

This command simply fetches more javascript code from the following URL: 

 

To impede analysis, all the links are geo-restricted, such that they can only be accessed from the targeted geography. 

The downloaded javascript then downloads a set of files in ProgramData from a randomly selected server: 

Figure 6: Downloaded Files

Here,  

”Corsair.Yoga.06342.8476.366.log” is  AutoIT compiled script, “Corsair.Yoga.06342.8476.366.exe” is AutoIT interpreter, 

“stack.tmp” is an encrypted payload (Astaroth), 

 and “dump.log” is an encrypted malware configuration. 

AutoIt script is executed by javascript, which builds and loads a shellcode in the memory of AutoIT process. 

 

Shellcode Analysis 

Figure 7: AutoIt script building shellcode

The shellcode has 3 entrypoints and $LOADOFFSET is the one using which it loads a DLL in memory. 

To run the shellcode the script hooks Kernel32: LocalCompact, and makes it jump to the entrypoint. 

Figure 8: Hooking LocalCompact API 

 
Shellcode’s $LOADOFFSET starts by resolving a set of APIs that are used for loading a DLL in memory. The API addresses are stored in a jump table at the very beginning of the shellcode memory. 

Figure 9: APIs resolved by shellcode 

 

Here shellcode is made to load a DLL file(Delphi) and this DLL decrypts and injects the final payload into newly created RegSvc.exe process. 

 

Payload Analysis 

The payload, Astaroth malware is written in Delphi and uses various anti-analysis techniques and shuts down the system if it detects that it is being analyzed. 

It checks for the following tools in the system: 

Figure 10: List of analysis tools 

 

It also makes sure that system locale is not related to the United States or English. 

Every second it checks for program windows like browsers, if that window is in foreground and has a banking related site opened then it hooks keyboard events to get keystrokes. 

Figure 11: Hooking keyboard events 

Programs are targeted if they have a window class name containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.

Many banking-related sites are targeted, some of which are mentioned below:
caixa.gov.br 

safra.com.br 

Itau.com.br 

bancooriginal.com.br 

santandernet.com.br 

btgpactual.com 

 

We also observed some cryptocurrency-related sites being targeted: 

etherscan.io 

binance.com 

bitcointrade.com.br 

metamask.io 

foxbit.com.br 

localbitcoins.com 

 

C2 Communication & Infrastructure 

The stolen banking credentials and other information are sent to C2 server using a custom binary protocol. 

Figure 12: C2 communication  

 

Astaroth’s C2 infrastructure and malware configuration are depicted below. 

Figure 13: C2 infrastructure 

Malware config is stored in dump.log encrypted, following is the information stored in it: 

Figure 14: Malware configuration 

 

Every 2 hours the configuration is updated by fetching an image file from config update URLs and extracting the hidden configuration from the image. 

hxxps://bit[.]ly/4gf4E7H —> hxxps://raw.githubusercontent[.]com//dridex2024//razeronline//refs/heads/main/razerlimpa[.]png 

Image file keeps the configuration hidden by storing it in the following format:

We found more such GitHub repositories having image files with above pattern and reported them to GitHub, which they have taken down. 

Persistence Mechanism  

For persistence, Astaroth drops a LNK file in startup folder which runs the AutoIT script to launch the malware when the system starts.  

McAfee Coverage 

McAfee has extensive coverage for Astaroth: 

Trojan:Shortcut/SuspiciousLNK.OSRT 

Trojan:Shortcut/Astaroth.OJS 

Trojan:Script/Astaroth.DL 

Trojan:Script/Astaroth.AI 

Trojan:Script/AutoITLoader.LC!2 

Trojan:Shortcut/Astaroth.STUP 

Indicator Of Compromise(s) 

IOC  Hash / URL 
Email  7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70
7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be
11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945 
ZIP URL  https://91.220.167.72.host.secureserver[.]net/peHg4yDUYgzNeAvm5.zip 
LNK  34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df 
JS Downloader  28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c 
Download server  clafenval.medicarium[.]help
sprudiz.medicinatramp[.]click
frecil.medicinatramp[.]beauty
stroal.medicoassocidos[.]beauty
strosonvaz.medicoassocidos[.]help
gluminal188.trovaodoceara[.]sbs
scrivinlinfer.medicinatramp[.]icu
trisinsil.medicesterium[.]help
brusar.trovaodoceara[.]autos
gramgunvel.medicoassocidos[.]beauty
blojannindor0.trovaodoceara[.]motorcycles 
AutoIT compiled script  a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b 
Injector dll  db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34 
payload  251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195 
Startup LNK  049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43 
C2 server  1.tcp.sa.ngrok[.]io:20262
1.tcp.us-cal-1.ngrok[.]io:24521
5.tcp.ngrok[.]io:22934
7.tcp.ngrok[.]io:22426
9.tcp.ngrok[.]io:23955
9.tcp.ngrok[.]io:24080 
Config update URL  https://bit[.]ly/49mKne9
https://bit[.]ly/4gf4E7H https://raw.githubusercontent[.]com/dridex2024/razeronline/refs/heads/main/razerlimpa.png 
GitHub Repositories hosting config images  https://github[.]com/dridex2024/razeronline 

https://github[.]com/Config2023/01atk-83567z 

https://github[.]com/S20x/m25 

https://github[.]com/Tami1010/base 

https://github[.]com/balancinho1/balaco 

https://github[.]com/fernandolopes201/675878fvfsv2231im2 

https://github[.]com/polarbearfish/fishbom 

https://github[.]com/polarbearultra/amendointorrado 

https://github[.]com/projetonovo52/master 

https://github[.]com/vaicurintha/gol 

 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS

More from McAfee Labs

Back to top