Categories: Malware

Microsoft Spotted New Fileless Malware “Astaroth” that Abusing Legitimate Tools To Hack Your Windows

A widespread fileless malware campaign called Astaroth spotted with the “lived off the land” method to attack Windows users with advanced persistent technique to evade the detection.

Microsoft uncovered this fileless malware using anomaly detection algorithm and the observation of sudden spike in the use of Windows Management Instrumentation Command-line (WMIC) tool to run the malicious script.

Fileless malware is a type of malicious technique that leveraging already existing system tools, also is lives only in the memory of a machine ideally leaving no trace after its execution. Its purpose is to reside in volatile system areas such as the system registryin-memory processes, and service areas.

Andrea Lelli from Microsoft Defender ATP Research discovered that the Astaroth fileless malware resides in the memory to steal sensitive information like credentials, keystrokes, and other data eventually exfiltrate the data and share it to the attacker remotely.

Generally, Fileless malware is running simple scripts and shellcode directly writing in memory by leveraging the legitimate system admin tools regardless of the operating system to avoid detection and using those tools to moving forward for the further attack is called “Living off the Land” which is very very hard to detect using traditional security software.

In this case, Attack silently installs the Astaroth into the victim’s system and it moving across the network to steal the data from another system in the network.

Astaroth Fileless malware Infection Process

Attackers sending the spear-phishing emails to the target system with an LNK file. Once the victims double clicked it, LNK file starts executing the WMIC tool eventually it downloads and execution of a JavaScript code.

Javascript code abusing the Bitsadmin tool to download the payload which are Base64-encoded and decoded using the Certutil tool.

Another tool called Regsvr32 is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.

Astaroth “living-off-the-land” attack chain

According to the Microsoft report, “The attack chain above shows only the Initial Access and Execution stages. In these stages, the attackers used fileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information stealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these stages is critical.”

“Being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable. Using advanced technologies, Microsoft Defender ATP exposes fileless threats like Astaroth before these attacks can cause more damage,” Lelli Concluded.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

3 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

3 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

6 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

9 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

10 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

11 hours ago