New Astaroth banking trojan leverages GitHub repos

A new Astaroth campaign has taken a new twist on infrastructure abuse.

In an Oct. 10 blog post, McAfee’s Threat Research team reported that instead of relying solely on traditional command-and-control (C2) servers that attackers can take down, these bad actors leverage GitHub repositories to host malware configurations.

John Carberry solution sleuth at Xcape Inc, said the Astaroth banking trojan is back with a new campaign that cleverly exploits GitHub for C2, making it harder to shut down. This malware, which started by targeting South and Central America, uses GitHub's trusted infrastructure to distribute its malicious payloads, allowing it to resist takedowns.

“Astaroth is a sneaky, fileless trojan known for stealing credentials and injecting itself into banking websites,” said Carberry. “It usually spreads through phishing emails. Though currently focused regionally, its use of GitHub bypasses typical security measures, raising fears of a potential expansion to North America.”

Louis Eichenbaum, Federal CTO at ColorTokens, said GitHub has historically been exploited by threat actors to host malware used in attacks against the banking industry. Its high availability, trusted reputation, and convenient raw file URLs make it an attractive platform for adversaries, said Eichenbaum.

“The Astaroth campaign introduces a new twist: instead of merely hosting malicious binaries, it uses public GitHub repositories to store configuration files and redirection instructions,” said Eichenaum. “This enables Astaroth to dynamically update its infrastructure, survive takedowns, and switch to new C2 servers, greatly improving its resilience.”

Kern Smith, vice president of global solutions at Zimperium, added that mobile malware is not only persisting, but growing. Kern said the advent of AI tools has lowered the barrier-for-entry, enabling threat actors to create and modify mobile malware at scale.

“As a result, we are seeing increasingly sophisticated campaigns that demand defenses capable of identifying and stopping these threats in real time,” said Smith. “Organizations need tools purpose-built for mobile that can adapt as quickly as attackers evolve.”