Microsoft has published a report on a renewed Astaroth Malware campaign. After investigating a spike in Windows’ WMIC tool, it found a new, fileless method attackers are exploiting.
For the unfamiliar, fileless threats are particularly dangerous due to their ability to bypass anti-virus solutions. Rather than running files on the disk, they make use of existing system tools to download a payload and run it in the system memory.
Astaroth uses a chain of legitimate tools to deploy a data-stealing trojan on victims’ PCs. First, a spam email campaign sends out links to a website hosting a .LNK shortcut file. If users run the file, it opens WMIC with the /Format parameter, which lets it download and execute JavaScript code, which downloads encoded payloads via the Bitsadmin tool.
WMIC, Certutil, Regsvr, and More
The encoded payloads are decoded with Certutil, with one run by Regsvr32, leading to the running of a second DLL, which reflectively loads another DLL. Finally, this final DDL decrypts and injects another into Userinit, which downloads a final DLL that reflectively loads Astaroth.
If you’re having problems following that, you’re not alone. These complex and sophisticated chains are part of what makes fileless malware so hard to detect on run, but they also leave a trail of evidence. The below flow chart should help some:
As usual, Microsoft is promoting its Windows Defender Advanced Threat Protection as a solution to this issue. The tool uses techniques like machine learning file classification, metadata, and behavior analysis in combination with on-device memory scanning heuristics, and network monitoring.
Astaroth was first spotted in 2018 targetting European and Brazillian users. In a statement to ZDNet, Microsoft said 95% of Astaroth infections were from Brazil. It discovered the most recent attacks between May and June. Needless to say, users should always be careful of the links they open from emails.
