Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Fileless Attack Attempts to Run Astaroth Backdoor Directly in Memory

Microsoft says it recently detected and stopped a fileless campaign looking to deliver the Astaroth Trojan to unsuspecting victims. 

Microsoft says it recently detected and stopped a fileless campaign looking to deliver the Astaroth Trojan to unsuspecting victims. 

The malware has been around for a couple of years and is known for the use of various fileless techniques to stay undetected on systems. Earlier this year, the threat was observed abusing an Avast process for malicious purposes. 

The newly discovered campaign employed a complex attack chain relying on system tools to run the Astaroth backdoor directly in memory. Once executed on the victim’s machine, the malware can steal credentials, keystrokes and other data, and sends the information to the attacker. 

The attack chain usually starts with a malicious link in a spear-phishing email. The link takes the victim to an LNK file designed to execute the Windows Management Instrumentation Command-line (WMIC) tool to download and execute JavaScript code. 

The JavaScript abuses the Bitsadmin tool to fetch payloads that are decoded using Certutil. Two of the payloads are plain DLL files, one of which is loaded using Regsvr32 to decrypt and load other files until the final payload, Astaroth, is injected into the Userinit process.

“It’s interesting to note that at no point during the attack chain is any file run that’s not a system tool. This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity,” Microsoft notes. 

Despite the use of this complex fileless attack chain during the initial access and execution stages, the abuse of known infection techniques allowed Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to detect and foil the campaign. 

These techniques include spear-phishing link and shortcut modification, WMIC abuse, XSL script processing, scripting, obfuscated files, Bitsadmin abuse, remote file copy, Certutil abuse, Regsvr32 abuse, execution through module load, and Userinit abuse. 

According to Microsoft, fileless malware clearly isn’t invisible and can be detected. In fact, some of the employed fileless techniques may be so unusual and anomalous that they immediately draw attention to the unfolding attack. 

Related: Extensive ‘Living Off the Land’ Hides Stealthy Malware Campaign

Related: Fileless Malware Attacks on the Rise, Microsoft Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.