A new Astaroth banking trojan campaign documented by McAfee Labs shows attackers abusing GitHub as a resilient configuration channel, using steganography to hide settings inside images hosted in public repositories. This approach extends operational continuity: even if command-and-control (C2) endpoints are blocked, the malware can fetch updated configuration data from GitHub and remain active.
GitHub as a fallback update channel with steganography
The most consequential shift in this wave is the use of steganography on GitHub. Configuration parameters are embedded in image files stored in public repos, making network and file-based detection harder and providing a durable control plane when primary C2 is disrupted. McAfee notes that, in coordination with GitHub, repositories tied to Astaroth were removed, temporarily breaking the update chain—yet the technique underscores how legitimate platforms can be repurposed for persistence.
Targeting scope: Latin American banks and crypto users
While Astaroth has long concentrated on Brazil, the current campaign spans Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. The trojan targets banking and cryptocurrency services, harvesting credentials and keystrokes on domains such as caixa.gov.br, itau.com.br, santandernet.com.br, btgpactual.com, etherscan.io, and binance.com. Stolen data is exfiltrated through the ngrok reverse proxy, which complicates attribution and filtering by tunneling traffic through trusted infrastructure.
Infection chain: DocuSign phishing to RegSvc.exe process injection
The delivery vector follows a well-tested playbook: phishing emails spoofing DocuSign lure victims to an archive containing a Windows shortcut (.LNK). Opening the shortcut triggers a staged execution sequence that eventually deploys Astaroth.
Multi-stage loaders and obfuscation hinder defenses
The LNK launches obfuscated JavaScript that retrieves another script from an external host. From a set of hardcoded servers, the malware pulls down multiple components, including an AutoIt script. This script runs shellcode that loads a Delphi-based DLL, decrypts the core Astaroth payload, and injects it into a newly created RegSvc.exe process. The cascading loaders increase the chance of evading static analysis and bypassing signature-based controls.
Anti-analysis, persistence, and geofencing tactics
Astaroth performs extensive environment checks and halts if it detects debuggers and reverse engineering tools such as IDA Pro, WinDbg, Wireshark, ImmunityDebugger, and PE Tools, or signs of virtualization/emulation. Persistence is achieved via a startup .LNK that launches the AutoIt script at boot. The campaign also employs geographic filtering: the initial URL is available only from specific regions, and execution is blocked on systems with an English locale or a U.S. region setting.
Why this matters for SOC and incident response
Abuse of legitimate platforms (e.g., GitHub) combined with steganography and multi-stage loaders complicates both network and endpoint detection. Even timely C2 takedowns may not fully impair operations when adversaries retain a configuration backchannel. Effective defense requires behavioral analytics, broader indicators of compromise (IOCs), and contextual detections aligned to techniques, not just infrastructure. In MITRE ATT&CK terms, relevant techniques include T1566 (Phishing), T1204 (User Execution), T1027 (Obfuscated/Compressed Files), T1055 (Process Injection), T1071 (Application Layer Protocol), and T1090 (Proxy).
Detection and mitigation guidance for defenders
Email security: block archives containing .LNK files; enforce DMARC, SPF, and DKIM; educate staff on verifying DocuSign links and domains.
Script control: restrict JavaScript/WSH and AutoIt execution from user-writable paths using AppLocker or Windows Defender Application Control; adopt least privilege to limit script abuse.
EDR and behavioral rules: monitor for chains like LNK → wscript/cscript → AutoIt → shellcode → RegSvc.exe spawn/injection; alert on creation of startup LNK files; flag image downloads from GitHub followed by decoding activity.
Network monitoring: scrutinize access to raw.githubusercontent.com and anomalous image fetches; control outbound connections to reverse proxy services, including ngrok; apply egress filtering on a least-necessary basis.
Sandbox and analysis: emulate regional settings to trigger full behavior; detect anti-debug and anti-VM checks; use dynamic analysis to observe AutoIt and Delphi DLL stages.
Astaroth’s latest evolution illustrates how criminal operators repurpose trusted ecosystems to harden their campaigns. Organizations should revisit policies for handling .LNK files and scripting engines, tighten monitoring of GitHub and tunneling services, and prioritize behavior-driven EDR detections. A layered defense, continual user awareness, and proactive hunting for multi-stage loader patterns are critical to reducing the risk of compromise.
