Microsoft Alerts to Rise in Astaroth Fileless Malware Cyberattacks

July 09, 2019 - Hackers are launching Astaroth malware campaigns at a rapid pace, leveraging fileless execution and “living-off-the-land” techniques to evade detection from traditional anti-virus tools, according to new research from Microsoft.

Researchers from Microsoft’s Windows Defender ATP team discovered the recent campaign, when Microsoft Senior Software Engineer Andrea Lelli saw an anomaly in a detection algorithm designed to spot a specific type of fileless technique. Fileless malware is a term used to describe malware variants that don’t rely on files to execute malicious code.

The tool’s telemetry displayed a sudden increase in the use of the Windows Management Instrumentation Command-line (WMIC) tool, which ran a script known as XSL Script Processing – flagging a fileless attack, Lelli explained in a recent blog post.

With further analysis, Lelli detected the campaign that attempted to run the backdoor of the Astaroth malware directly from the computer’s memory.

“Astaroth is a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, which it exfiltrates and sends to a remote attacker,” Lelli wrote. “The attacker can then use stolen data to try moving laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground.”

A typical Astaroth attack will begin with a malicious link in the body of a spear-phishing email that sends the user to an LNK file, Lelli explained. If the victim opens the file, the WMIC tool will be executed with the “/Format” parameter that will allow the download and execution of JavaScrupt code.

The payloads are Base64-encoded and decoded using the Certutil tool and are then downloaded by abusing the Bitsadmin tool.

“Two of them result in plain DLL files (the others remain encrypted),” Lelli wrote. “The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.”

The Astaroth trojan was first seen in the wild in 2018 and was most recently seen targeting Brazilian and European users in February 2019.

“It's interesting to note that at no point during the attack chain is any file run that's not a system tool,” Lelli wrote. “This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity.”

“For traditional, file-centric antivirus solutions, the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded,” Lelli wrote. “After all, every executable used in the attack is non-malicious.”

The healthcare sector has seen an increase in trojan malware attacks in the past year with a Malwarebytes report finding hackers are turning to subtle, long-lasting attacks to harvest sensitive data. In fact, trojan malware attacks upended ransomware as the biggest hacking threat to the sector in 2018.

Comments are closed.