The Astaroth banking Trojan uses GitHub to host malware configs, evade C2 takedowns and stay active by pulling new settings from the platform.McAfee discovered a new Astaroth campaign using GitHub repositories to host malware configurations. This allows attackers to evade takedowns by pulling fresh configs from GitHub whenever C2 servers are shut down, ensuring continuous operation and resilience against law enforcement actions.Astaroth mainly targets South America (Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama), but also hit Portugal and Italy.The attack chain starts with phishing emails with a link to a ZIP that contains an LNK launching obfuscated JavaScript via mshta.exe. “The attack starts with an e-mail to the victim which contains a link to a site that downloads a zip file.” reads the report published by Trend Micro. “Emails with themes such as DocuSign and resumes are used to lure the victims into downloading a zip file.”The JS (geo-restricted) downloads files to ProgramData: an AutoIt script, AutoIt interpreter, an encrypted payload (stack.tmp) and encrypted config. The AutoIt script builds and runs shellcode in-memory. Then the script hooks LocalCompact, resolves APIs, loads a Delphi DLL, which decrypts and injects the final Astaroth payload into a new RegSvc.exe process.Astaroth (Delphi) performs anti-analysis checks, avoids US/English locales, and monitors foreground windows for banking and crypto sites. When detected, it hooks the keyboard to steal credentials via keylogging.The banking Trojan transmits the captured data to the attackers’ infrastructure using the Ngrok reverse proxy.Astaroth maintains persistence by dropping a LNK file in startup folder, which runs the AutoIT script to launch the malicious code when the system reboots. “Think of it like a criminal who keeps backup keys to your house hidden around the neighborhood. Even if you change your locks, they’ve got another way in.” McAfee concludes.Trend Micro published Indicators of Compromise (IoCs) for this campaign.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Astaroth banking Trojan)