Fecebook and YouTube Profiles to Host Astaroth Malware C2 Server j-stashcc, jstashbazarshop

Cybercriminals abusing Facebook and YouTube profiles to host the Astaroth malware that launches through sophisticated phishing campaign to target mainly Brazilian citizens.
Threat actors behind the Astaroth Trojan using a various trusted source to compromise and steal the sensitive the data from the victims.
Security research community motioning Astaroth Trojan activities since 2018 and the malware evade the various security protection by abusing the antivirus to intrude the targeted device.
Astaroth leverages the legitimate windows services to drop the payload, and the method will help to easily bypass the security protection.
Researchers from Cofense uncovered a phishing email campaign that temp users to open a .htm file which is the initial stage of start the infection.
Once the Victims opens the .htm file, it downloads a zip file that contains .LNK file which downloads JavaScript.
Soon after Javascript code download multiple files that execute the Astaroth information stealer.
Researchers discovered a two .DLL files that associated with the legitimate program ( ‘C:\Program Files\Internet Explorer\ExtExport.exe’.) to run malicious code from trusted sources.
In order to maintain the C2 configuration data, threat actors using the Facebook and YouTube profiles description with base64 encoded and custom encrypted.
Threat actors cleverly hosting the C2 data within these trusted sources to bypass the network security, and gather the victim’s information to collect the sensitive information such as stored passwords in the browser, email client credentials, SSH credentials, and more.
After the malware collects all the data, it bundles and encrypts sent via HTTPS POST to a site from the C2 list.
j-stashcc jstashbazarshop