New Astaroth Phishing Kit bypasses 2FA (two-factor authentication) to steal Gmail, Yahoo and Microsoft login credentials using a reverse proxy, real-time credential capture, and session hijacking.
An advanced new phishing kit, dubbed Astaroth, has emerged on cybercrime networks, discovered by SlashNext Threat Researchers. According to SlashNext’s research, shared with Hackread.com ahead of its publishing, Astaroth is designed to bypass two-factor authentication (2FA) through a combination of session hijacking and real-time credential interception.
How Astorath Works?
Astaroth operates by employing an evilginx-style reverse proxy (where a malicious server acts as an intermediary between the victim and a legitimate website). This technique allows the attackers can position themselves as a man-in-the-middle between the victim and legitimate authentication services, such as Gmail, Yahoo, and Microsoft.
The level of detail available to the attacker is mind-blowing. There are columns for ‘Phishlet’, ‘Username’, ‘Password’, ‘User Agent’, ‘Remote Addr’, and ‘Tokens.’ The interface logs each phishing attempt, capturing usernames, passwords, user agent information, and crucially, 2FA tokens. Attackers can filter and sort these logs, mark entries for follow-up, and even download captured tokens for later use.
Unlike traditional phishing kits that rely on static fake login pages, Astaroth dynamically intercepts all authentication data. This means that even if a user has 2FA enabled, Astaroth can capture the second factor (such as a code from an authenticator app or SMS message) as it is entered. The reverse proxy intercepts and manipulates traffic, capturing login credentials, authentication tokens, and session cookies in real-time. This real-time capture of all authentication data is what makes Astaroth so effective at bypassing 2FA.
Attack Details
According to SlashNext’s report, the attack involves a victim clicking on a link, which redirects them to a malicious server posing as a legitimate website. This server mirrors the target domain’s appearance and functionality, including SSL certificates, making it difficult for victims to detect.
When the victim enters login credentials, Astaroth captures them and forwards the request to the real server, obtaining username, password, user agent string, and IP address to replicate the victim’s session environment. The attacker is instantly alerted through the web panel interface and Telegram notifications when the token is entered.
The kit is sold through Telegram and promoted on cybercrime forums and marketplaces.
The image shows the seller “черная магия” claim Astaroth can bypass headless detection, and capture full cookies, usernames, and passwords for Google, Microsoft (including Office 365), AOL, and Yahoo mail providers.
Furthermore, the seller emphasizes it’s a combination of Evilginx with added functionalities and bypass methods and comes with custom hosting options, including bulletproof hosting, for $2,000, which includes six months of updates and support. The seller also offers testing before purchase, demonstrating the kit’s capabilities and sharing techniques for bypassing reCAPTCHA and BotGuard protections.
These added functionalities are “aimed at improving its durability and attractiveness to threat actors,” researchers concluded.
Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions commented on the emergence of the Astaroth phishing kit warning about its alarming amount of sophistication.
“This phishing kit shows an alarming amount of sophistication. All the usual defences and things to look out for that we train users on are harder to spot with this attack. Having the infrastructure running on providers who don’t cooperate with law enforcement will make it more difficult to take down these malicious actors,“ said Thomas.
“Recently, the US and European countries placed sanctions on countries harbouring these bullet-proof hosting providers. Users should be extra cautious when receiving an email purporting to be from an organization they know and demanding immediate action. If such an email is received, users should visit the website directly and not click the link to see if there are any alerts or problems with their account,“ he warned.