Astaroth Banking Trojan Using GitHub to Capture Crypto Credentials

Simply Put

McAfee has identified a Trojan campaign that utilizes GitHub for redirecting malware to new servers when existing ones fail.

This malware primarily focuses on South American nations, particularly Brazil.

It spreads through phishing emails and is capable of stealing banking and cryptocurrency information.

Hackers are deploying banking Trojans that leverage GitHub repositories to adapt whenever their servers go offline, as reported by a McAfee investigation.

The Trojan, known as Astaroth, propagates through phishing emails, encouraging victims to download specific Windows files that ultimately install the malware onto their computers.

Astaroth operates in the background, employing keyloggers to capture sensitive banking and cryptocurrency credentials and uses an Ngrok reverse proxy to relay this information.

One notable aspect of Astaroth is its ability to modify server configurations via GitHub whenever the command and control server is taken down, often due to actions by cybersecurity firms or law enforcement.

“GitHub serves not to host the malware itself but to maintain the configuration connecting to the bot server,” said Abhishek Karnik from McAfee’s threat research team.

Karnik clarified that this method is different from past occurrences where GitHub was merely a hosting platform, emphasizing that in this case, it’s being used to divert victims to new servers.

This strategy has evolved since the introduction of other malicious tactics, including Redline Stealer malware, which has also been linked to GitHub deployments this year.

“However, in this instance, the configurations direct the malware’s communication with its backend,” Karnik noted.

Like the GitVenom campaign, Astaroth aims to extract credentials for stealing cryptocurrencies or illegally transferring funds from bank accounts.

“While we don’t have precise figures on the financial losses, the malware seems particularly widespread, especially in Brazil,” Karnik remarked.

Targeting South America

Astaroth appears to have a stronger focus on South America, including countries such as Mexico, Uruguay, Argentina, and others.

Although it could impact nations like Portugal or Italy, safeguards are in place to prevent deployment in the United States and other English-speaking countries.

The malware is programmed to disable hosts when it notices certain analytics software running, while keylogging becomes active on specific banking websites.

Targeted domains include caixa.gov.br, safra.com.br, itau.com.br, among others.

It also aims at cryptocurrency platforms such as etherscan.io, binance.com, and more.

In light of these threats, McAfee recommends users keep their antivirus software up to date, enable two-factor authentication, and refrain from clicking on links or attachments from suspicious sources.