Security Experts:

Fileless Attack Attempts to Run Astaroth Backdoor Directly in Memory

Microsoft says it recently detected and stopped a fileless campaign looking to deliver the Astaroth Trojan to unsuspecting victims. 

The malware has been around for a couple of years and is known for the use of various fileless techniques to stay undetected on systems. Earlier this year, the threat was observed abusing an Avast process for malicious purposes. 

The newly discovered campaign employed a complex attack chain relying on system tools to run the Astaroth backdoor directly in memory. Once executed on the victim’s machine, the malware can steal credentials, keystrokes and other data, and sends the information to the attacker. 

The attack chain usually starts with a malicious link in a spear-phishing email. The link takes the victim to an LNK file designed to execute the Windows Management Instrumentation Command-line (WMIC) tool to download and execute JavaScript code. 

The JavaScript abuses the Bitsadmin tool to fetch payloads that are decoded using Certutil. Two of the payloads are plain DLL files, one of which is loaded using Regsvr32 to decrypt and load other files until the final payload, Astaroth, is injected into the Userinit process.

“It’s interesting to note that at no point during the attack chain is any file run that’s not a system tool. This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity,” Microsoft notes. 

Despite the use of this complex fileless attack chain during the initial access and execution stages, the abuse of known infection techniques allowed Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to detect and foil the campaign. 

These techniques include spear-phishing link and shortcut modification, WMIC abuse, XSL script processing, scripting, obfuscated files, Bitsadmin abuse, remote file copy, Certutil abuse, Regsvr32 abuse, execution through module load, and Userinit abuse. 

According to Microsoft, fileless malware clearly isn’t invisible and can be detected. In fact, some of the employed fileless techniques may be so unusual and anomalous that they immediately draw attention to the unfolding attack. 

Related: Extensive 'Living Off the Land' Hides Stealthy Malware Campaign

Related: Fileless Malware Attacks on the Rise, Microsoft Says

view counter