Astaroth Trojan exploits Cloudflare Workers to remain stealthy

• Astaroth Trojan is known for stealing valuable information, usually by abusing legitimate operating system tools to gain access.
• A new campaign has been launched to deliver Astaroth Trojan through the Cloudflare Workers serverless computing platform. This helps the Trojan avoid detection and blocks automated analysis attempts.

Astaroth Trojan is notorious in the world of cybersecurity for using living off the land binaries (LOLbins) to remain undetected. In the latest Astaroth campaign, the Trojan is distributed through the Cloudflare Workers serverless computing platform to evade antivirus software.

How is the attack launched?

Astaroth’s operators use Cloudflare Workers as a part of their three-step infection process.

• First, a phishing email is sent under the guise of being an automated email for audit or billing requests. The email comes with an HTML attachment that contains obfuscated JavaScript code. This code downloads the next payload that lies behind the Cloudflare infrastructure. The payload delivers different types of JSON payload based on the target’s geolocation and allows attackers to change file object types for different targets.
• In the second stage of the attack, the JSON is parsed and saved as a ZIP file by the user’s browser. The ZIP file contains a URL that points at a script created using the Cloudflare Workers dashboard and is used to download the final payload.
• In the last stage, a malicious DLL is loaded that communicates with attacker-controlled YouTube and Facebook profiles to receive the final command-and-control server address.

Evolution of Astaroth Trojan

The Astaroth Trojan is believed to be active since late 2017. It evolved its campaign in 2018 to exclusively target South American users.

In Astaroth’s February 2019 campaign, the attackers focused on stealing credentials from Brazilian users. They injected a malicious module in the antivirus software Avast to extract information about the target systems.

Microsoft discovered another Astaroth campaign during the months of May and June in 2019. Andrea Lelli, from Microsoft Defender ATP Research, says, “Abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”