A new spear-phishing campaign in Brazil has been found delivering a banking malware known as Astaroth (also referred to as Guildma) by leveraging obfuscated JavaScript to bypass security defenses.
Trend Micro, a leading cybersecurity firm, reported in its recent analysis that the campaign has impacted various industries, with manufacturing companies, retail firms, and government agencies being the most affected.
"The malicious emails often impersonate official tax documents, using the urgency of personal income tax filings to trick users into downloading the malware," the researchers explained.
The cybersecurity company has named the group behind this activity cluster Water Makara. Interestingly, Google's Threat Analysis Group (TAG) refers to a similar campaign targeting Brazilian users with the same malware under the name PINEAPPLE.
Both the Water Makara and PINEAPPLE campaigns share a notable strategy: they start with phishing messages impersonating official entities such as the Receita Federal, Brazil's federal tax authority. The emails attempt to deceive recipients into downloading a ZIP archive attachment disguised as income tax documents.
Hidden within this ZIP file is a Windows shortcut (LNK) that takes advantage of a legitimate Windows utility, mshta.exe, which is designed to run HTML Application files. The malware executes obfuscated JavaScript commands to establish a connection to a command-and-control (C2) server, delivering the Astaroth malware.
Astaroth Banking Malware: Persistent and Evolving
While Astaroth may appear to be an older banking trojan, its reemergence in this campaign—and its continuous evolution—keeps it a formidable threat. According to the researchers, the impact of Astaroth extends beyond just data theft.
“Beyond stolen data, its impact extends to long-term damage to consumer trust, regulatory fines, and increased costs from business disruption and downtime, as well as recovery and remediation,” they stated.
To mitigate the risks posed by Astaroth and similar attacks, it's crucial for organizations to enforce strong password policies, implement multi-factor authentication (MFA), ensure security solutions and software are regularly updated, and apply the principle of least privilege (PoLP) to limit the exposure of critical systems.
