Redazione RHC : 14 October 2025 16:02
McAfee researchers have reported new activity by the Astaroth banking trojan , which has started using GitHub as a persistent channel for distributing configuration data.
This approach allows attackers to maintain control over infected devices even after the primary command and control servers are disabled, significantly increasing the malware’s survivability and making it more difficult to neutralize.
The attack begins with a phishing email disguised as a notification from popular services like DocuSign or purporting to contain a candidate’s resume . The body of the email contains a link to download a ZIP archive.
Inside is a shortcut file (.lnk) that launches hidden JavaScript via mshta.exe. This script downloads a new set of files from a remote server, access to which is geographically restricted: the malware is downloaded only to devices in the targeted regions.
The downloaded kit includes an AutoIT script, an AutoIT interpreter, the encrypted body of the Trojan itself, and a separate configuration file. The script deploys the shellcode into memory and injects a DLL file into the RegSvc.exe process, using analysis bypass techniques and standard kernel32.dll API substitution.
The downloaded module, written in Delphi, carefully checks the environment: if a sandbox, debugger, or system with an English locale is detected, execution is immediately terminated.
Astaroth constantly monitors open windows. If the user visits a bank or cryptocurrency service website, the Trojan activates a keylogger, intercepting all keystrokes. It targets Windows class names, such as Chrome, Mozilla, IEframe, and others. Targeted resources include the websites of major Brazilian banks and cryptocurrency platforms, including Binance, Metamask, Etherscan, and LocalBitcoins . All stolen data is transmitted to the attackers’ server using a proprietary protocol or via the Ngrok reverse proxy service.
A unique feature of this campaign is that Astaroth uses GitHub to update its configuration. Every two hours, the Trojan downloads a PNG image from an open repository containing a steganographically encrypted configuration . The discovered repositories contained images with a predefined naming format and were promptly removed at the researchers’ request. However, this approach demonstrates how legitimate platforms can be used as a backup communication channel for malware.
To infiltrate the system, the Trojan places a shortcut in the startup folder, ensuring that it runs automatically every time the computer is started. Despite the technical complexity of the attack, the primary vector remains social engineering and user trust in emails.
During the investigation, specialists discovered that most infections are concentrated in South America , primarily in Brazil , but also in Argentina, Colombia, Chile, Peru, Venezuela , and other countries in the region. Cases are also possible in Portugal and Italy .
McAfee emphasizes that such patterns highlight the need for increased vigilance when working with open platforms like GitHub, as attackers are increasingly using them to bypass traditional locking mechanisms. The company has already reported malicious repositories, which were promptly removed, temporarily interrupting Astaroth’s update chain.
Redazione