McAfee’s Threat Research team said that the recently discovered Astaroth campaign took "infrastructure abuse to a new level," likening it to a criminal who keeps backup keys to your house hidden around the neighborhood.
According to the researchers, threat actors use GitHub repositories to host malware configurations. When their C2 infrastructure is taken down, Astaroth uses fresh configurations from GitHub and keeps running.
In either case, per McAfee, all malicious GitHub repositories that they found have now been taken down.
The investigation has shown that criminals are using emails with themes such as DocuSign and résumés to trick victims into clicking on a malicious link and downloading a ZIP file that contains malware. This malware, which is geographically restricted, is also designed to shut down the system if it detects that it is being analyzed through various anti-analysis techniques.
The malware is looking for open banking and crypto-related sites to collect keystrokes and steal passwords. The researchers have found banking platforms such as caixa.gov.br, safra.com.br, itau.com.br, bancooriginal.com.br, santandernet.com.br, and btgpactual.com.
Among the targeted crypto platforms were etherscan.io, binance.com, bitcointrade.com.br, metamask.io, foxbit.com.br, and localbitcoins.com.
The Threat Research team once again reminded users not to open attachments or links in emails from unknown sources, to use two-factor authentication (2FA), and to keep antivirus software up to date.
Meanwhile, in a separate story, a user of the decentralized crypto platform Hyperliquid reportedly lost around $21 million worth of crypto assets after criminals obtained their private keys, giving them access to the funds.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked