In short
- McAfee has discovered a Trojan campaign that uses GitHub to redirect malware to new servers when existing servers are deleted.
- The malware mainly targets countries in South America, with particular attention to Brazil.
- The virus is uploaded via phishing emails and can steal banking and crypto information.
According to research from cybersecurity firm McAfee, hackers deploy a banking Trojan that taps into GitHub repositories when servers are taken down.
The Trojan virus, called Astaroth, is distributed via phishing emails that invite victims to download a Windows file (.lnk), which installs the malware on a host computer.
Astaroth runs in the background of a victim’s device and uses keylogging to steal banking and crypto data, transmitting such data using the Ngrok reverse proxy (an intermediary between servers).
Its unique feature is that Astaroth uses GitHub repositories to update the server configuration when the command-and-control server is taken down, which usually happens through the intervention of cybersecurity companies or law enforcement agencies.
“GitHub is not used to host the malware itself, but only to host a configuration pointing to the bot server,” said Abhishek Karnik, Director of Threat Research and Response at McAfee.
Speak with DeclutterKarnik explained that the malware’s developers use GitHub as a tool to direct victims to updated servers, which sets the exploit apart from previous cases where GitHub has been exploited.
This includes an attack vector discovered by McAfee in 2024 where adversaries placed the Redline Stealer malware in GitHub repositories, something that was repeated in this year’s GitVenom campaign.
“In this case, however, it is not malware that is hosted, but a configuration that manages how the malware communicates with the backend infrastructure,” Karnik added.
Similar to the GitVenom campaign, Astaroth’s ultimate goal is to exfiltrate credentials that can be used to steal a victim’s cryptocurrency or make transfers from their bank accounts.
“We have no data on how much money or cryptocurrency has been stolen, but it appears to be common, especially in Brazil,” Karnik said.
Focused on South America
It appears that Astaroth has mainly targeted South American areas, including Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela and Panama.
Although the malware can also target Portugal and Italy, it is written in such a way that it will not be uploaded to systems in the United States or other English-speaking countries (such as England).
The malware shuts down its host system if it detects that analytics software is being used, while it is designed to perform keylogging functions if it detects that a web browser is visiting certain banking sites.
These include caixa.gov.br, safra.com.br, itau.com.br, bancooriginal.com.br, santandernet.com.br and btgpactual.com.
It is also written to target the following crypto-related domains: etherscan.io, binance.com, bitcointrade.com.br, metamask.io, foxbit.com.br, and localbitcoins.com.
In light of such threats, McAfee recommends that users avoid opening attachments or links from unknown senders, while also using up-to-date antivirus software and two-factor authentication.
Daily debriefing Newsletter
Start every day with today’s top news stories, plus original articles, a podcast, videos and more.
