A cybercriminal gang has put together a phishing campaign that utilizes several trusted sources, along with insider help from a top tier security company to convince its victims to open and download a malicious attachment.
Cofense Intelligence found the malicious actors, who are only
targeting Brazilians, are extensively using trusted names, legitimate Windows
services and Cloudflare workers to inject the Astaroth trojan with the aim of
stealing banking credentials. However, despite the effort put forth by the gang
Cofense researchers said the attacks can be stopped if the proper precautions,
both human and technical, are in place.
The current campaign is sending emails only in Portuguese pretending
to be either an invoice, show ticket or civil lawsuit. In each case the body of
the email is socially engineered to convince the recipient to open and then
download the attached .htm file.
The latter downloads help with avoiding AV, white listing and URL filtering security functions.
The malware then uses a technique called process hollowing
where it takes previously downloaded code and injects it into several
legitimate programs, the most important of which is unins000.exe that is
associated with the Brazilian banking system.
Astaroth then uses the normally trustworthy sites Youtube
and Facebook profiles to host and maintain the C2 configuration data.
“ The data is within posts on Facebook or within the profile
information of user accounts on YouTube. By hosting the C2 data within these
trusted sources, the threat actors can bypass network security measures like
content filtering. The threat actors are also able to dynamically change the
content within these trusted sources so they can deter the possibility of their
infrastructure being taken down,” Cofense wrote.
At this point the information stealer goes to work and
gathers financial data, stored passwords in the browser, email client
credentials and SSH credentials.
“Astaroth’s complex infection chain targeting Brazilian
citizens shows the value in layered defense as well as education of the end
user. At each step, the security stack could have made an impact to stop the
infection chain; however, through the use of legitimate processes and outside
trusted sources, Astaroth was able to negate those defensive measures,” Cofense
The post Facebook, YouTube insider threats used in Brazilian phishing scheme appeared first on SC Media.