A widespread fileless malware campaign called Astaroth spotted with the “lived off the land” method to attack Windows users with advanced persistent technique to evade the detection.
Microsoft uncovered this fileless malware using anomaly detection algorithm and the observation of a sudden spike in the use of Windows Management Instrumentation Command-line (WMIC) tool to run the malicious script.
Fileless malware is a type of a malicious technique that leveraging already existing system tools, also is lives only in the memory of a machine ideally leaving no trace after its execution. Its purpose is to reside in volatile system areas such as the system registry, in-memory processes, and service areas.
Andrea Lelli from Microsoft Defender ATP Research discovered that the Astaroth fileless malware resides in the memory to steal sensitive information like credentials, keystrokes, and other data eventually exfiltrate the data and share it to the attacker remotely.
Generally, Fileless malware is running simple scripts and shellcode directly writing in memory by leveraging the legitimate system admin tools regardless of the operating system to avoid detection and using those tools to moving forward for the further attack is called “Living off the Land” which is very very hard to detect using traditional security software.
In this case, Attack silently installs the Astaroth into the victim’s system and it moves across the network to steal the data from another system in the network.
Astaroth Fileless malware Infection Process
Attackers sending the spear-phishing emails to the target system with an LNK file. Once the victims double clicked it, LNK file starts executing the WMIC tool eventually it downloads and execution of a JavaScript code.
Javascript code abusing the Bitsadmin tool to download the payload which is Base64-encoded and decoded using the Certutil tool.
Another tool called Regsvr32 is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process
According to the Microsoft report, "The attack chain above shows only the Initial access and execution stages. In these stages, the attackers used fileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information stealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these stages is critical"
“Being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable. Using advanced technologies, Microsoft Defender ATP exposes fileless threats like Astaroth before these attacks can cause more damage,” Lelli Concluded
By, Chetan B H