Monday, November 4, 2024
HomeMalwareMicrosoft Spotted New Fileless Malware "Astaroth" that Abusing Legitimate Tools To Hack...

Microsoft Spotted New Fileless Malware “Astaroth” that Abusing Legitimate Tools To Hack Your Windows

Published on

Malware protection

A widespread fileless malware campaign called Astaroth spotted with the “lived off the land” method to attack Windows users with advanced persistent technique to evade the detection.

Microsoft uncovered this fileless malware using anomaly detection algorithm and the observation of sudden spike in the use of Windows Management Instrumentation Command-line (WMIC) tool to run the malicious script.

Fileless malware is a type of malicious technique that leveraging already existing system tools, also is lives only in the memory of a machine ideally leaving no trace after its execution. Its purpose is to reside in volatile system areas such as the system registryin-memory processes, and service areas.

- Advertisement - SIEM as a Service

Andrea Lelli from Microsoft Defender ATP Research discovered that the Astaroth fileless malware resides in the memory to steal sensitive information like credentials, keystrokes, and other data eventually exfiltrate the data and share it to the attacker remotely.

Generally, Fileless malware is running simple scripts and shellcode directly writing in memory by leveraging the legitimate system admin tools regardless of the operating system to avoid detection and using those tools to moving forward for the further attack is called “Living off the Land” which is very very hard to detect using traditional security software.

In this case, Attack silently installs the Astaroth into the victim’s system and it moving across the network to steal the data from another system in the network.

Astaroth Fileless malware Infection Process

Attackers sending the spear-phishing emails to the target system with an LNK file. Once the victims double clicked it, LNK file starts executing the WMIC tool eventually it downloads and execution of a JavaScript code.

Javascript code abusing the Bitsadmin tool to download the payload which are Base64-encoded and decoded using the Certutil tool.

Another tool called Regsvr32 is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.

Astaroth “living-off-the-land” attack chain

According to the Microsoft report, “The attack chain above shows only the Initial Access and Execution stages. In these stages, the attackers used fileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information stealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these stages is critical.”

“Being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable. Using advanced technologies, Microsoft Defender ATP exposes fileless threats like Astaroth before these attacks can cause more damage,” Lelli Concluded.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Researchers discovered a Russian-linked threat actor, UNC5812, utilizing a Telegram persona named "Civil Defense....

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...