Astaroth Banking Trojan Harnessing GitHub to Steal Crypto Credentials

Hackers are deploying a banking Trojan that makes use of GitHub repositories whenever its servers are taken down, according to research from cybersecurity firm McAfee.

Dubbed Astaroth, the Trojan virus is spread via phishing emails that invite victims to download a Windows (.lnk) file, which installs the malware on a host computer.

Astaroth runs in the background of a victim’s device, using keylogging to steal banking and crypto credentials, and sending such credentials using the Ngrok reverse proxy (an intermediary between servers).

Its unique feature is that Astaroth uses GitHub repositories to update its server configuration whenever its command-and-control server is taken down, which usually happens because of intervention from cybersecurity firms or law enforcement agencies.

“GitHub is not used to host the malware itself, but just to host a configuration that points to the bot server,” said Abhishek Karnik, Director for Threat Research and Response at McAfee.

Speaking to Decrypt, Karnik explained that the malware’s deployers are using GitHub as a resource to direct victims to updated servers, which distinguishes the exploit from previous instances in which GitHub has been harnessed.

This includes an attack vector discovered by McAfee in 2024, in which bad actors inserted the Redline Stealer malware into GitHub repositories, something which has been repeated this year in the GitVenom campaign.

“However, in this case, it’s not malware that is being hosted but a configuration that manages how the malware communicates with its backend infrastructure,” Karnik added.

As with the GitVenom campaign, Astaroth’s ultimate purpose is to exfiltrate credentials that can be used to steal a victim’s crypto or to make transfers out of their bank accounts.

“We don’t have data about how much money or crypto it has stolen, but it appears to be very prevalent, especially in Brazil,” said Karnik.

Targeting South America

It seems that Astaroth has primarily targeted South American territories, including Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela and Panama.

While it is also capable of targeting Portugal and Italy, the malware is written so that it is not uploaded to systems in the United States or other English-speaking countries (such as England).

The malware shuts down its host system if it detects that analysis software is being operated, while it’s designed to run keylogging functions if it detects that a web browser is visiting certain banking sites.

These include caixa.gov.br, safra.com.br, itau.com.br, bancooriginal.com.br, santandernet.com.br and btgpactual.com.

It has also been written to target the following crypto-related domains: etherscan.io, binance.com, bitcointrade.com.br, metamask.io, foxbit.com.br and localbitcoins.com.

In the face of such threats, McAfee advises that users do not open attachments or links from unknown senders, while also using up-to-date antivirus software and two-factor authentication.