Wednesday, December 25, 2024
HomeMalwareMicrosoft Spotted New Fileless Malware "Astaroth" that Abusing Legitimate Tools To Hack...

Microsoft Spotted New Fileless Malware “Astaroth” that Abusing Legitimate Tools To Hack Your Windows

Published on

SIEM as a Service

A widespread fileless malware campaign called Astaroth spotted with the “lived off the land” method to attack Windows users with advanced persistent technique to evade the detection.

Microsoft uncovered this fileless malware using anomaly detection algorithm and the observation of sudden spike in the use of Windows Management Instrumentation Command-line (WMIC) tool to run the malicious script.

Fileless malware is a type of malicious technique that leveraging already existing system tools, also is lives only in the memory of a machine ideally leaving no trace after its execution. Its purpose is to reside in volatile system areas such as the system registryin-memory processes, and service areas.

- Advertisement - SIEM as a Service

Andrea Lelli from Microsoft Defender ATP Research discovered that the Astaroth fileless malware resides in the memory to steal sensitive information like credentials, keystrokes, and other data eventually exfiltrate the data and share it to the attacker remotely.

Generally, Fileless malware is running simple scripts and shellcode directly writing in memory by leveraging the legitimate system admin tools regardless of the operating system to avoid detection and using those tools to moving forward for the further attack is called “Living off the Land” which is very very hard to detect using traditional security software.

In this case, Attack silently installs the Astaroth into the victim’s system and it moving across the network to steal the data from another system in the network.

Astaroth Fileless malware Infection Process

Attackers sending the spear-phishing emails to the target system with an LNK file. Once the victims double clicked it, LNK file starts executing the WMIC tool eventually it downloads and execution of a JavaScript code.

Javascript code abusing the Bitsadmin tool to download the payload which are Base64-encoded and decoded using the Certutil tool.

Another tool called Regsvr32 is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.

Astaroth “living-off-the-land” attack chain

According to the Microsoft report, “The attack chain above shows only the Initial Access and Execution stages. In these stages, the attackers used fileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information stealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these stages is critical.”

“Being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable. Using advanced technologies, Microsoft Defender ATP exposes fileless threats like Astaroth before these attacks can cause more damage,” Lelli Concluded.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...