Astaroth Evolves: Why Web-Based Phishing is Changing the Threat Landscape
The Rise of Web-Based "Man-in-the-Middle" Phishing Attacks
A new variant of the Astaroth phishing kit has emerged — and it's a perfect example of how the cyber threat landscape keeps evolving beyond traditional malware.
Unlike earlier versions of Astaroth (which relied on downloading malicious scripts or abusing built-in Windows tools like WMIC), this latest version operates entirely within the browser as a web-based man-in-the-middle attack.
That means: - No malware download. - No malicious executables to block. - No obvious indicators of compromise (IOC) on the victim's endpoint.
This approach poses challenges for most cybersecurity solutions — including ours at White Cloud Security — because there is no malicious file to block and the actual attack occurs outside the Endpoint's "perimeter of defense". Cybersecurity vendors are left attempting to provide a blacklisting solution for blocking malicious domains and IP addresses. Unfortunately, the 'Fast Flux' cybercriminal technique helps hackers evade the current DNS and IP address blacklisting controls provided by cybersecurity vendors.
What Makes This New Astaroth Phishing Kit So Dangerous?
The new Astaroth kit, as detailed in SlashNext's blog, uses a proxy-based phishing technique:
Key Capabilities of Astaroth
- Intercepts login credentials entered by the victim.
- Steals 2-FA (Two-Factor Authentication) codes in real time.
- Captures session cookies from the victim's browser.
- Allows the attacker to re-use both the 2-FA code and/or the session cookie to log in as the victim.
Why Traditional Protections Struggle Against This Attack
White Cloud Security's Trust Lockdown technology always blocks:
- Ransomware and other Malware
- Unapproved Remote Access Tools (RATs) used by hackers to gain remote access like TeamViewer
- Unauthorized scripts and executable downloads, intentional or socially engineered
- Living-off-the-land (LOTL) using unauthorized tools like Filezilla, WinSCP
- Any App not on the "least privilege" approved App list
In fact, the older version of Astaroth would be automatically blocked by Trust Lockdown because it downloaded and attempted to execute scripts — a behavior denied by default.
However, this new Astaroth variant never touches the local disk in the traditional sense. It's a man-in-the-middle web attack — operating entirely online through phishing pages and proxy servers.
Use a Password Manager
One way to protect yourself from phishing of this nature is remarkably simple:
Never click links in unexpected emails or text messages.
Instead, always:
- Open your password manager.
- Use it to navigate directly to the website.
- Let your password manager autofill credentials only on legitimate sites.
This eliminates the risk of being redirected to a fake phishing site, even if the page looks identical to the real thing.
Use a Zero-Trust DNS (ZTDNS)
A Zero-Trust DNS service is designed to enforce Zero Trust principles at the DNS level. It allows administrators to block all outbound traffic unless the destination domain is explicitly approved, effectively preventing unauthorized connections. This approach enhances security by ensuring that devices only communicate with approved domains.
A properly designed Zero-Trust DNS service intercepts DNS and TCP/IP connection requests, restricting connectivity to:
- Approved Domain Names
- Required IP address connections
This allows organizations to specify exactly which domains or IP addresses are approved — and block everything else by default.
Blacklisting methods use a 'default allow' paradigm and allow the exploitation of unknown domain names and malicious IP addresses.
A Zero-Trust DNS service blocks access to all unknown and malicious domain names and IP addresses by default.
What's Next for White Cloud Security?
We're exploring how to extend our Zero-Trust protection model beyond the endpoint's "perimeter of defense" — and into internet connectivity itself.
Would You Use a "Zero-Trust DNS" service?
→ Would you or your organization use a Zero-Trust DNS that only allows connectivity to approved domain names and IP addresses, similar to our current Least-Privilege Security Policies for applications?
Let us know!
TL;DR: Two Versions of Astaroth — Two Very Different Threats
| Variant | Method | Can Trust Lockdown Block It? |
|---|---|---|
| Older Astaroth | Downloads & Executes Scripts (LOTL Attack using WMIC etc.) | Yes, by default |
| New Astaroth | Web-Based Phishing Proxy / Man-in-the-Middle | No — Requires Different Protections |
Final Thoughts
The evolution of Astaroth underscores a critical truth about cybersecurity:
Attackers are always looking for ways around your existing protections.
Endpoint security is critical — but user behavior and Zero-Trust Internet controls are becoming just as important.
Stay tuned as White Cloud Security continues to expand its capabilities to meet the challenges of a constantly evolving threat landscape.