Fileless malware named Astaroth is back. Still works on stealing sensitive data
The spike in Astaroth fileless malware attacks was spotted by Microsoft researchers recently. In its report, the security team has stated that the ongoing malware campaign is using a living-off-the-land technique that makes it even harder for the traditional anti-virus programs to identify the attacks.
The malicious campaign, involving the Windows Management Instrumentation Command-Line tool, was detected by the team behind Windows Defender ATP, the commercial version of the well-known Windows Defender free antivirus. Researchers got alerted during May and June 2019 thanks for the specific algorithm designed to catch a form of fileless attacks in particular.
As researcher Andrea Lelli wrote in the official Microsoft Defender ATP report:
I was doing a standard review of telemetry when I noticed an anomaly from a detection algorithm designed to catch a specific fileless technique. Telemetry showed a sharp increase in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script, indicating a fileless attack.
The campaign involves a massive amount of spam emails spreading links to the malicious .lnk file
When the malware attack was analyzed further, investigators found that it involves a massive spam campaign that sent out emails with links to websites hosting file with .LNK extension.
Once users downloaded the file, it automatically launched the WMIC tool and other legitimate Windows tools one after the other. Since these tools allow to download additional code and pass the output to one another, the fileless malware gets an ability to make its way to the system without being located by the anti-malware tool.
The last step of the attack – downloading and running the backdoor trojan dubbed Astaroth that is designed to steal information, drop various credentials and upload the collected data to a remote hacker server. According to researcher Andrea Lelli, malware can be loaded without installing any files – directly in memory of the target system:
The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypt and loads other files until the final payload, Astaroth, is injected into the Userinit process.
The biggest danger of Astaroth backdoor trojan – file-stealing feature
The malware first was discovered back in 2017 and came back in 2018. The more recent attacks were reported earlier this year. Back at the start of 2019, the main target of this malware were European and Brazilian users. Based on Microsoft researchers, this time, more than 90% of infections were discovered in Brazil.
Astaroth malware runs by leveraging legitimate tools like Certutil, Bitsadmin, and WMIC. The biggest issue with this malware is the fileless operations that run directly in the system memory and the feature of file-stealing that this trojan has. Antivirus tools cannot easily detect this threat and react to malicious activity, so many people become victims. However, Microsoft Defender ATP exposes such fileless threats and helps to avoid serious virus damage.