Astaroth’s Hidden LNK – My information Resource (blog.mir.net)

Image Source: Proofpoint

The NJCCIC’s email security solution observed an uptick in campaigns spreading Astaroth malware from TA2725 . Astaroth, first spotted in 2017, is an information-stealing trojan that primarily targets businesses in Brazil, Europe, and other countries throughout Latin America. Recently observed phishing emails from TA275 contain Portuguese lures masquerading as curriculum vitae (CV), invoices, or DocuSign.

Image Source: Proofpoint

In these observed campaigns, a ZIP archive containing an LNK file is downloaded upon clicking the provided URLs. Extracting and running the LNK file ultimately leads to Astaroth’s installation. During installation, Astaroth creates an LNK file in the system’s Startup folder to maintain persistence on the infected system and ensure Astaroth runs upon system startup. While TA2725 has recently been primarily distributing Astaroth, they have also been tracked spreading Mispadu, Grandoreiro, and, most recently, ScreenConnect.