An Ordinary PNG, but Inside — a Trojan. Now Even a Picture Can Steal Your Money
The Astaroth banking Trojan is using GitHub to bypass blocks and download its configuration.
McAfee specialists have reported new activity from the Astaroth banking Trojan, which has started using GitHub as a resilient channel for delivering configuration data. This approach allows attackers to maintain control over infected devices even after their primary command servers are disabled, significantly increasing the malware's survivability and complicating its neutralization.
The attack begins with a phishing email disguised as a notification from popular services like DocuSign or containing a fake job applicant's resume. The email body contains a link that leads to the download of a ZIP archive. Inside is a shortcut file (.lnk) that launches a hidden JavaScript via mshta.exe. This script downloads a new set of files from a remote server, access to which is restricted by geography—the malware is only downloaded onto devices in targeted regions.
The downloaded set includes an AutoIT script, an AutoIT interpreter, the encrypted body of the Trojan itself, and a separate configuration file. The script deploys shellcode in memory and injects a DLL file into the RegSvc.exe process, using techniques to evade analysis and by hijacking the standard kernel32.dll API. The loaded module, written in Delphi, thoroughly checks the environment: if a sandbox, debugger, or a system with an English-language locale is detected, execution immediately stops.
Astaroth constantly monitors which windows are open on the screen. If the user visits a bank or crypto service website, the Trojan activates a keylogger, intercepting all keystrokes. It targets window class names such as those for Chrome, Mozilla, IEFrame, and others. Among the targeted resources are websites of major Brazilian banks and cryptocurrency platforms, including Binance, Metamask, Etherscan, and LocalBitcoins. All stolen data is sent to the attackers' server using a custom protocol or via the Ngrok reverse proxy service.
A unique aspect of this campaign is that Astaroth uses GitHub to update its configuration. Every two hours, the Trojan downloads a PNG image from a public repository, which contains an encrypted config hidden using steganography. The discovered repositories contained images with a pre-defined naming format and were promptly removed at the researchers' request. However, this approach demonstrates how legitimate platforms can be used as a fallback communication channel for malware.
To persist on the system, the Trojan places a shortcut in the startup folder, ensuring it launches automatically with every system boot. Despite the technical complexity of the attack, the primary vector remains social engineering and users' trust in emails.
During the investigation, specialists found that the main infection geography is concentrated in South America—primarily in Brazil, but also in Argentina, Colombia, Chile, Peru, Venezuela, and other countries in the region. Activity in Portugal and Italy is also possible.
McAfee emphasizes that such schemes highlight the need for more vigilant monitoring of open platforms like GitHub, as attackers increasingly use them to bypass traditional blocking mechanisms. The company has already reported the malicious repositories, which were removed in the shortest possible time, temporarily disrupting Astaroth's update chain.
