Thursday, March 28, 2024

Microsoft Spotted New Fileless Malware “Astaroth” that Abusing Legitimate Tools To Hack Your Windows

A widespread fileless malware campaign called Astaroth spotted with the “lived off the land” method to attack Windows users with advanced persistent technique to evade the detection.

Microsoft uncovered this fileless malware using anomaly detection algorithm and the observation of sudden spike in the use of Windows Management Instrumentation Command-line (WMIC) tool to run the malicious script.

Fileless malware is a type of malicious technique that leveraging already existing system tools, also is lives only in the memory of a machine ideally leaving no trace after its execution. Its purpose is to reside in volatile system areas such as the system registryin-memory processes, and service areas.

Andrea Lelli from Microsoft Defender ATP Research discovered that the Astaroth fileless malware resides in the memory to steal sensitive information like credentials, keystrokes, and other data eventually exfiltrate the data and share it to the attacker remotely.

Generally, Fileless malware is running simple scripts and shellcode directly writing in memory by leveraging the legitimate system admin tools regardless of the operating system to avoid detection and using those tools to moving forward for the further attack is called “Living off the Land” which is very very hard to detect using traditional security software.

In this case, Attack silently installs the Astaroth into the victim’s system and it moving across the network to steal the data from another system in the network.

Astaroth Fileless malware Infection Process

Attackers sending the spear-phishing emails to the target system with an LNK file. Once the victims double clicked it, LNK file starts executing the WMIC tool eventually it downloads and execution of a JavaScript code.

Javascript code abusing the Bitsadmin tool to download the payload which are Base64-encoded and decoded using the Certutil tool.

Another tool called Regsvr32 is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.

Astaroth “living-off-the-land” attack chain

According to the Microsoft report, “The attack chain above shows only the Initial Access and Execution stages. In these stages, the attackers used fileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information stealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these stages is critical.”

“Being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable. Using advanced technologies, Microsoft Defender ATP exposes fileless threats like Astaroth before these attacks can cause more damage,” Lelli Concluded.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles