Astaroth Malware Abuses Cloudflare Workers to Slip Behind Security Solutions

Delaware, USA – September 3, 2019 – Astaroth malware authors continue experiments with abusing legitimate tools and services to deploy the trojan and hide their traces after infection. Following the recent disclosure of the infection chain, attackers have significantly altered the delivery mechanism and launched a new campaign. Security researcher Marcel Afrahim discovered the misuse of Cloudflare Workers platform to spread updated version of Astaroth malware. Adversaries send phishing emails pretended to be an automated email about Audit or Billing requests with HTML file containing obfuscated Javascript. The script downloads the next step payload from the domain hidden behind Cloudflare’s web infrastructure. Adversaries abuse Cloudflare IP Geolocation service to verify that only Brazilian users will receive the JSON payload. Then JSON is parsed and saved as a zip file by the user’s browser (delivering payload as a JSON file helps to avoid checks or blocks by traffic analysis solutions). Zip file contains a shortcut with URL that leads to a script created using the Cloudflare Workers dashboard which is saved on the victim’s system and executed using Wscript process to download the final payload. Interestingly, such an infection chain is used only for attacks on 64-bit systems, while in other cases the trojan is downloaded from the Google Storage repository without resorting to a complicated infection chain so as not to blow cover the main infrastructure.

When the infection is complete, Astaroth malware receives a list of relevant command-and-control servers from Facebook and YouTube profiles registered by adversaries, which allows them to continue the campaign even if the C&C server is blocked by researchers or authorities. So far, the trojan is aimed at organizations in Brazil and is used to steal credentials, while the malware authors quickly modify both the trojan itself and the delivery mechanisms.

Learn more about the techniques used by Astaroth malware on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/

Rules to detect misuse of Wscript:
Execution wscript.exe – https://tdm.socprime.com/tdm/info/1087/
WScript or CScript Dropper – https://tdm.socprime.com/tdm/info/1207/