Overview
- McAfee Labs detailed how Astaroth retrieves configuration data concealed in GitHub-hosted images using steganography whenever primary command servers go offline.
- A Microsoft-owned GitHub takedown of the identified repositories temporarily disrupted this backup channel, according to McAfee’s analysis.
- The latest campaign starts with DocuSign or resume‑themed phishing that delivers a ZIP containing an LNK, which launches obfuscated JavaScript via mshta.exe.
- The script drops an AutoIt interpreter and script that build shellcode to load a Delphi DLL, which decrypts and injects Astaroth into a new regsvc.exe process.
- Once active, the malware keylogs credentials on banking and crypto sites and exfiltrates them through Ngrok, uses anti‑analysis checks, applies geofencing to avoid US/English locales, and persists via a Startup LNK, with IoCs published by vendors to aid detection.