{"description": "Enterprise techniques used by Astaroth, ATT&CK software S0373 (v2.3)", "name": "Astaroth (S0373)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) creates a startup item for persistence. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Astaroth](https://attack.mitre.org/software/S0373)'s initial payload is a malicious .LNK file. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. (Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) spawns a CMD process to execute commands. (Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) has used malicious VBS e-mail attachments for execution.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses JavaScript to perform its core functionalities. (Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses an external software known as NetPass to recover passwords. (Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) encodes data using Base64 before sending it to the C2 server. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) collects data in a plaintext file named r1.log before exfiltration. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. (Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) has used a DGA in C2 communications.(Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) exfiltrates collected information from its r1.log file to the external C2 server. (Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. (Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.004", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) can abuse alternate data streams (ADS) to store content for malicious payloads.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) can launch itself via DLL Search Order Hijacking.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses [certutil](https://attack.mitre.org/software/S0160) and [BITSAdmin](https://attack.mitre.org/software/S0190) to download additional malware. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) logs keystrokes from the victim's machine. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses a software packer called Pe123\\RPolyCryptor.(Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) has obfuscated and randomized parts of the JScript code it is initiating.(Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) has used an XOR-based algorithm to encrypt payloads twice with different keys.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) has been delivered via malicious e-mail attachments.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) searches for different processes on the system.(Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses the LoadLibraryExW() function to load additional modules. (Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) checks for the presence of Avast antivirus in the C:\\Program\\Files\\ folder. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses ActiveX objects for file execution and manipulation. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) can be loaded through regsvr32.exe.(Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) collects the machine name and keyboard language from the system. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) collects the external IP address from the system. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) collects the timestamp from the infected machine. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses an external software known as NetPass to recover passwords. (Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) has used malicious files including VBS, LNK, and HTML for execution.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.(Citation: Securelist Brazilian Banking Malware July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) uses WMIC to execute payloads. (Citation: Cofense Astaroth Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1220", "comment": "[Astaroth](https://attack.mitre.org/software/S0373) executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. (Citation: Cybereason Astaroth Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Astaroth", "color": "#66b1ff"}]}