HomeNewsAstaroth malware uses YouTube channel descriptions for hacks

Astaroth malware uses YouTube channel descriptions for hacks

If you purchase via links on our reader-supported site, we may receive affiliate commissions.
cyberghost vpn ad

Cybersecurity researchers have once again exposed an infamous Astaroth infostealer malware having been discovered firstly out of the wild in 2018, it has been confirmed to be currently wreaking havoc within the South American nation of Brazil for now using a stiffed of anti-analysis and anti-sandbox checks to evade detection by cybersecurity and research experts.

Another cyber-security researcher Talos says that when a user is infected by Astaroth, the malware connects to a YouTube channel, from where it extracts the channel description field containing encrypted and base64-encoded text with the URLs emanating from its control and command server. Once the text is decoded, Astaroth connects to these URLs to transmit new instructions and to transfer hacked data for storage.

What Is The Astaroth Infostealer Malware?

A team of researchers from IBM’s X-Force explained the malware as:

“This malware has been existing since 2017 using fake invoice emails disguised as coming from a legitimate vendor using the cam.br domains. PDC estimated that about 8,000 customers using their machines recorded attacks of this nature within a week. Using Cloudflare based URLs, the campaign seems to target potential users in South America. If a potential victim does not have a South American based IP address, the malware does not attempt to infect the system recently. The initial payload is a malicious.LNK file that points to the next stage of infection. The infection process uses the Windows Management Instrumentation Console (WMIC) and its command-line interface to download and install the malicious payload in a non-interactive mode so that the user is not aware of what is happening. To “hide in plain sight”, the malware uses a domain selected from a list of 154 domains within its code and the rest of the URL that points to the payload is added. All the domains in the list were hosted on Cloudflare. Using a legitimate vendor like this, it is harder for companies to blacklist malicious communication.”

As discovered first by Researchers from IBM and Cybereason, the popular info-stealing trojan has recently received notable upgrades that have given its features like being able to evade detection with less information for researchers to analyze it with. Its current attack has remained in Brazil for now but there is no tendency it will not spread as it has once been known to attack users from countries in Europe.


Noredia Imuwahen
Noredia Imuwahen
Business Administrator, Writer, Social media manager, and a content management enthusiast.


Delete Me
Incogni Black Friday Ad
Heimdal Security ad

Subscribe to SecureBlitz Newsletter

* indicates required


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.