We dissected the Astaroth malware, here’s what came out!
There is an insidious malware, known as Astaroth o Guildma, which is increasingly present in the Italian corporate landscape and which, using outdated programming languages, circumvents security controls and steals sensitive information. Two of our colleagues took apart step by step how the malware works, highlighting the levels of sophistication cyber criminals can reach and the techniques used to avoid detection. What can save companies in the face of a targeted attack activity that deploys skills that can change logic in the code of legitimate applications, compromise an operating system’s processes, or even exploit the narrow focus of detection systems on old programming languages? Obviously, there is a need to mediate between costs and benefits: only by balancing automated tools with experienced and passionate analysts with adequate knowledge and skills can targeted and sophisticated threats be detected and responded to more dynamically, analyzing anomalous behavior and suspicious activity preemptively. Those who want to learn more can read the analysis and research work that has been behind the “Let’s tear him to pieces! A brief journey into the world of Malware Analisys“, the speech given by our colleagues on stage at the latest Security Summit in Milan. Detail: the following report takes an in-depth look at the 2024 variant of Astaroth (or “Guildma”), the malware written in the Delphi language that steals information spread since 2017 with phishing campaigns. Its development is based on old programming languages that avoid detection. Our experts, through a “controlled by stage” analysis technique, atomically executed each stage of the malware in order to demonstrate its relative functionality. Through this controlled startup, it was possible to systematically observe and analyze the behavior of the malware in an isolated and controlled manner with the goal of dissecting it and understanding in detail the steps it takes to execute the payload and unearth the techniques it employs to hinder and slow down the analysis process. Here is the article