Microsoft Discovers Fileless Malware Campaign Dropping Astaroth Info Stealer
The Microsoft Defender ATP Research Team released a report covering a malware campaign that dropped the Astaroth trojan into the memory of infected computers. This particular campaign was notable in its distribution method and complex attack chain. It used fileless distribution techniques to hide its activities from security solutions, and abused different legitimate Windows software features to spread quietly.
Discovered in 2017, Astaroth is known as an information stealer. It is capable of taking sensitive information from an affected user — account credentials, keystrokes, and other data — and sending it to the attacker.
Attack chain
During a standard telemetry review, a researcher from the Microsoft Defender ATP Research Team, Andrea Lelli, noted a spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script, which indicated a fileless technique being used. Upon further investigation, Lelli discovered the Astaroth campaign where attackers were attempting to install the malware directly in the memory of victim devices.
Lelli explains that the infection typically starts through spam emails with a malicious URL to a LNK file shortcut. If the file is clicked, WMIC is run and allows the download and execution of a JavaScript code. The code in turn abuses the Bitsadmin tool to download payloads, and the eventual end payload is Astaroth. Lelli outlines the whole attack chain in the Microsoft report.
The malware campaign actually runs legitimate Windows tools, which will download additional code and then pass it on. This chain of action is executed in memory, without saving any files on the disk, making it a “fileless execution.” The fileless nature of the campaign makes it difficult for traditional antivirus tools to detect it, although more advanced security solutions are able to defend against such a threat.
[READ: Security 101: Defending Against Fileless Malware]
Lelli notes that this malware campaign completely “lives off the land,” given that all files run during the attack chain are system tools. By abusing legitimate tools already present on the target system, it tries to disguise its actions as regular activity.
Dealing with fileless threats
This use of fileless techniques is not new. In fact, in 2018, we saw an uptick in fileless events. And cybercriminals continue to use fileless techniques to update old malware.
But while fileless threats may not be as visible as more traditional ones, they leave telltale signs that can be detected by IT and security teams. Here are some ways enterprises can stay ahead of fileless threats:
- Be more cautious of unsolicited emails or files, especially those that prompt users to enable macros or scripts.
- Keep systems and their applications updated.
- Secure the use of system administration tools.
- Deploy additional layers of security such as behavior monitoring, sandboxing, firewalls, and intrusion detection and prevention systems.
- Proactively monitor endpoints and networks.
To protect against fileless threats that use spam emails as vectors, enterprises can use the Trend Micro endpoint solutions Trend Micro Smart Protection Suites and Worry-Free™ Business Security. Both solutions protect users and businesses from threats by detecting malicious files and spammed messages, and blocks all related malicious URLs.
Indicators of Compromise
SHA 256 | Detection Name |
762f962251800b0028a90b53a50503558fff9116c43fccdab376a05fdd03e27e |
TSPY_BESTAFERA.ENC |
9cef4e4b27b956035107ae36dac44fc4bd0ed8e1ae7ae58d10708bae3de636a0 |
Trojan.Win32.OCCAMY.DAM |
536d9ff73c183f5a4cf5c230f898b4e5b938c7a8bbd343edf818d5114eaf6521 |
Trojan.Win32.OCCAMY.DAM |
90dcef5b84678f4a9491a1520cf43e17de5b97e13a1ad5d5609438deb8cf2a40 |
TrojanSpy.Win32.GUILDMA.AC |
e44548f0c7d26a6d11f3ab29753e36f525559dc2e443bff96346f1be17cd644a |
TrojanSpy.Win32.GUILDMA.AC |
dcc9ba0819601b18b18e2594bca7e700938dfe85c6904feed1841852016decdb |
TrojanSpy.Win32.BESTAFERA.ENC |
6f8692f08ccd5ab46136fca179be23f67bffed8bbd61ea16276be4268db404f2 |
TrojanSpy.Win32.BESTAFERA.ENC |
3e70e0c3a10855aa6f8bf13391ce91bdefcd78a7c3e67c93c0e6e040088d604f |
TrojanSpy.Win32.BESTAFERA.ENC |
d64d1c73460746d08e45fd97f29d1e464809fcfc869d3a6831b90897ca99e83c |
TrojanSpy.Win32.BESTAFERA.ENC |
314befd15c890bdec036ccfeba1248417a0b204f49b342ac6727c07756ec9eae |
TrojanSpy.Win32.BESTAFERA.ENC |
8f2158344f9df9dd011a4e76749e4a8f46a556a4110b796561855c5bbabd766a |
TrojanSpy.Win32.BESTAFERA.ENC |
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.