The NJCCIC’s email security solution observed an uptick in campaigns spreading Astaroth malware from TA2725 . Astaroth, first spotted in 2017, is an information-stealing trojan that primarily targets businesses in Brazil, Europe, and other countries throughout Latin America. Recently observed phishing emails from TA275 contain Portuguese lures masquerading as curriculum vitae (CV), invoices, or DocuSign.

In these observed campaigns, a ZIP archive containing an LNK file is downloaded upon clicking the provided URLs. Extracting and running the LNK file ultimately leads to Astaroth’s installation. During installation, Astaroth creates an LNK file in the system’s Startup folder to maintain persistence on the infected system and ensure Astaroth runs upon system startup. While TA2725 has recently been primarily distributing Astaroth, they have also been tracked spreading Mispadu, Grandoreiro, and, most recently, ScreenConnect.

Recommendations

• Facilitate user awareness training to include these types of phishing-based techniques.
• Avoid clicking links and opening attachments in unsolicited emails.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools.
• Report phishing and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.