Astaroth Spy Trojan Uses Facebook, YouTube Profiles to Cover Tracks

Facebook and YouTube profiles are at the heart of an ongoing phishing campaign spreading the Astaroth trojan, bent on the eventual exfiltration of sensitive information. The attack is sophisticated in that it uses normally trusted sources as cover for malicious activities – thus evading usually effective email and network security layers.

The attack starts with an .HTM file attached to an email, according to Aaron Riley, researcher at Cofense. He noted in an analysis this week that the emails come in three “flavors” – an invoice theme, a show ticket theme and a civil lawsuit theme.

If the target clicks on the attachment, the .HTM file downloads a .ZIP archive that contains a malicious .LNK file. The .LNK file then downloads JavaScript code from a Cloudflare worker’s domain, which in turn downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information-stealer.

Read more…
Source: ThreatPost