
In these observed campaigns, a ZIP archive containing an LNK file is downloaded upon clicking the provided URLs. Extracting and running the LNK file ultimately leads to Astaroth’s installation. During installation, Astaroth creates an LNK file in the system's Startup folder to maintain persistence on the infected system and ensure Astaroth runs upon system startup. While TA2725 has recently been primarily distributing Astaroth, they have also been tracked spreading Mispadu, Grandoreiro, and, most recently, ScreenConnect.
Recommendations
- Facilitate user awareness training to include these types of phishing-based techniques.
- Avoid clicking links and opening attachments in unsolicited emails.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Review the Don't Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
- Maintain robust and up-to-date endpoint detection tools on every endpoint.
- Consider leveraging behavior-based detection tools rather than signature-based tools.
- Report phishing and other malicious cyber activity to the FBI's IC3 and the NJCCIC.
