Cloudflare Workers during the malicious campaign of criminals plays the role of one of the parts of the attack. Attackers send a phishing email disguised as a regular survey with an attached HTML attachment.
To implement the second stage of the attack, JSON is parsed from the URL, converted from Base64 to Array, renamed to match the name of the HTML file. Next, a special link is automatically generated, which starts the download of malware on the user’s computer.
As part of the third stage, the malicious DLL is loaded, which is controlled by the accounts of malicious users in YouTube and Facebook. Accounts in this case play the role of a C&C server.
“According to analysis of the samples involved, after the DLL side loading, one of the Diebold Warsaw installation binaries, which is a security suite used on systems accessing online banking in Brazil, is hollowed and used to communicate to Facebook and Youtube profiles in order to obtain the Final C2 addresses”, — reported Renato Marinho of Morphus Labs.
The threat actors currently behind the Astaroth campaign are going through a great length in order to escape detection and fool the conventional Security Solutions.
Security researchers discovered the spread of the Astaroth malware last month, but since that time, attackers have begun to use new, most innovative techniques to avoid detection and hide their traces in infected organizations.