Astaroth Banking Trojan Campaign Abuses GitHub for Configuration Hosting

The Astaroth banking trojan has resurfaced with a new campaign that leverages GitHub repositories to host its malware configurations, significantly enhancing its resilience against takedown efforts. Security researchers from McAfee and other organizations have observed that, rather than relying solely on traditional command-and-control (C2) servers, the attackers are now using GitHub’s trusted infrastructure to store and distribute configuration files and redirection instructions. This approach allows the threat actors to dynamically update the trojan’s settings and switch to new C2 servers as needed, making it much more difficult for law enforcement and security teams to disrupt the campaign. The attack chain typically begins with phishing emails that lure victims into downloading a ZIP file, which contains a malicious LNK shortcut. When executed, this shortcut launches obfuscated JavaScript via mshta.exe, which then downloads several files, including an AutoIt script, the AutoIt interpreter, an encrypted payload, and an encrypted configuration file. The AutoIt script is responsible for building and executing shellcode in memory, which then loads a Delphi DLL. This DLL decrypts and injects the final Astaroth payload into a new RegSvc.exe process, allowing the malware to operate stealthily on the infected system. Astaroth is known for its fileless operation, anti-analysis techniques, and its ability to avoid US and English locales, focusing its attacks primarily on South American countries such as Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama, with some activity also noted in Portugal and Italy. The trojan monitors foreground windows for banking and cryptocurrency sites, and when detected, it hooks the keyboard to steal credentials via keylogging. Stolen data is exfiltrated to the attackers’ infrastructure using the Ngrok reverse proxy, further complicating efforts to trace or block the communications. Persistence is achieved by dropping a LNK file in the startup folder, ensuring the malicious AutoIt script runs on system reboot. Experts warn that the use of GitHub’s high-availability and trusted reputation not only makes takedowns more challenging but also raises concerns about the potential for the campaign to expand beyond its current regional focus. The campaign’s sophistication is further underscored by its use of public repositories for configuration management, allowing for rapid adaptation and continued operation even as individual C2 nodes are neutralized. Security professionals highlight that this method of infrastructure abuse is part of a broader trend, with adversaries increasingly exploiting legitimate cloud and code-hosting platforms to evade detection and maintain operational continuity. The campaign’s reliance on phishing as the initial infection vector underscores the ongoing importance of user awareness and email security controls. The technical complexity of the infection chain, including multiple layers of obfuscation and in-memory execution, demonstrates the evolving tactics of financially motivated cybercriminals. The campaign’s focus on banking credentials and cryptocurrency accounts indicates a clear intent to monetize stolen information. The use of AutoIt scripting and the ability to update configurations on the fly make this variant of Astaroth particularly challenging to defend against. Security experts recommend heightened vigilance, robust endpoint protection, and monitoring for suspicious use of legitimate platforms like GitHub in enterprise environments. The campaign serves as a reminder of the persistent threat posed by banking trojans and the need for adaptive, multi-layered defense strategies.