Banking malware used GitHub for persistence

By
Follow google news

Repos acting as C2 infrastructure for Astaroth infostealer removed.

GitHub has removed malicious code repositories that acted as command and control (C2) infrastructure for a banking information stealer, after being notified by McAfee security researchers.

Banking malware used GitHub for persistence

The Astaroth trojan horse is spread by phishing, and if executed via a Windows shortcut, installs malware on the victim's system, McAfee said.

Able to detect when users access banking and cryptocurrency websites, Astaroth then copies login credentials for these and sends them to the attackers via the Ngrok reverse proxy tool.

Even though the C2 servers that the Ngrok tool connected were taken down, Astaroth was able to connect to GitHub to pull fresh configurations from the site, and stay running.

"Think of it like a criminal who keeps backup keys to your house hidden around the neighbourhood. Even if you change your locks, they’ve got another way in," McAfee's researchers wrote.

Astaroth targets mainly users located in South America, particularly Brazil, but can also be used against Italy and Portugal.

It has been active for several years now: Microsoft's Defender Security Research Team analysed Astaroth in 2019, detailing its file-less capabilities.

The malware is also known as Guildma, and was documented by Cisco's Talos researchers in 2024, as using the Google Cloud Run service for large scale distribution.

GitHub has also been used for malware distribution in the past, with Microsoft Security unravelling a convoluted redirection chain leading users to the code repository in March this year.

The multi-stage payload hosted on GitHub was infostealers such as Lumma and Doenerium, Microsoft Security found.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bankinginformation stealersecuritytrojan

Sponsored Whitepapers

Optus Enterprise Mobility
Optus Enterprise Mobility
Life After VMware: Scale Securely with mCloud by Micron21
Life After VMware: Scale Securely with mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
What 4 wholesale distribution challenges aren’t going away anytime soon?
What 4 wholesale distribution challenges aren’t going away anytime soon?
State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape

Events

Most Read Articles

NSW gov contractor uploaded Excel spreadsheet of flood victims' data to ChatGPT

NSW gov contractor uploaded Excel spreadsheet of flood victims' data to ChatGPT
Age verification IDs taken in Discord data breach

Age verification IDs taken in Discord data breach
Microsoft to kill local account workarounds in Windows 11 preview builds

Microsoft to kill local account workarounds in Windows 11 preview builds
Qantas says customer data released by cyber criminals

Qantas says customer data released by cyber criminals
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?