Microsoft Discovers Fileless Malware Campaign Dropping Astaroth Info Stealer

astaroth The Microsoft Defender ATP Research Team released a report covering a malware campaign that dropped the Astaroth trojan into the memory of infected computers. This particular campaign was notable in its distribution method and complex attack chain. It used fileless distribution techniques to hide its activities from security solutions, and abused different legitimate Windows software features to spread quietly.

Discovered in 2017, Astaroth is known as an information stealer. It is capable of taking sensitive information from an affected user — account credentials, keystrokes, and other data — and sending it to the attacker.

Attack chain

During a standard telemetry review, a researcher from the Microsoft Defender ATP Research Team, Andrea Lelli, noted a spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script, which indicated a fileless technique being used. Upon further investigation, Lelli discovered the Astaroth campaign where attackers were attempting to install the malware directly in the memory of victim devices.

Lelli explains that the infection typically starts through spam emails with a malicious URL to a LNK file shortcut. If the file is clicked, WMIC is run and allows the download and execution of a JavaScript code. The code in turn abuses the Bitsadmin tool to download payloads, and the eventual end payload is Astaroth. Lelli outlines the whole attack chain in the Microsoft report.

The malware campaign actually runs legitimate Windows tools, which will download additional code and then pass it on. This chain of action is executed in memory, without saving any files on the disk, making it a “fileless execution.” The fileless nature of the campaign makes it difficult for traditional antivirus tools to detect it, although more advanced security solutions are able to defend against such a threat.

[READ: Security 101: Defending Against Fileless Malware]

Lelli notes that this malware campaign completely “lives off the land,” given that all files run during the attack chain are system tools. By abusing legitimate tools already present on the target system, it tries to disguise its actions as regular activity.

Dealing with fileless threats

This use of fileless techniques is not new. In fact, in 2018, we saw an uptick in fileless events. And cybercriminals continue to use fileless techniques to update old malware.

But while fileless threats may not be as visible as more traditional ones, they leave telltale signs that can be detected by IT and security teams. Here are some ways enterprises can stay ahead of fileless threats:

  • Be more cautious of unsolicited emails or files, especially those that prompt users to enable macros or scripts.
  • Keep systems and their applications updated.
  • Secure the use of system administration tools.
  • Deploy additional layers of security such as behavior monitoring, sandboxing, firewalls, and intrusion detection and prevention systems.
  • Proactively monitor endpoints and networks.

To protect against fileless threats that use spam emails as vectors, enterprises can use the Trend Micro endpoint solutions Trend Micro Smart Protection Suites and Worry-FreeBusiness Security. Both solutions protect users and businesses from threats by detecting malicious files and spammed messages, and blocks all related malicious URLs.

Indicators of Compromise

SHA 256 Detection Name

762f962251800b0028a90b53a50503558fff9116c43fccdab376a05fdd03e27e

TSPY_BESTAFERA.ENC

9cef4e4b27b956035107ae36dac44fc4bd0ed8e1ae7ae58d10708bae3de636a0

Trojan.Win32.OCCAMY.DAM

536d9ff73c183f5a4cf5c230f898b4e5b938c7a8bbd343edf818d5114eaf6521

Trojan.Win32.OCCAMY.DAM

90dcef5b84678f4a9491a1520cf43e17de5b97e13a1ad5d5609438deb8cf2a40

TrojanSpy.Win32.GUILDMA.AC

e44548f0c7d26a6d11f3ab29753e36f525559dc2e443bff96346f1be17cd644a

TrojanSpy.Win32.GUILDMA.AC

dcc9ba0819601b18b18e2594bca7e700938dfe85c6904feed1841852016decdb

TrojanSpy.Win32.BESTAFERA.ENC

6f8692f08ccd5ab46136fca179be23f67bffed8bbd61ea16276be4268db404f2

TrojanSpy.Win32.BESTAFERA.ENC

3e70e0c3a10855aa6f8bf13391ce91bdefcd78a7c3e67c93c0e6e040088d604f

TrojanSpy.Win32.BESTAFERA.ENC

d64d1c73460746d08e45fd97f29d1e464809fcfc869d3a6831b90897ca99e83c

TrojanSpy.Win32.BESTAFERA.ENC

314befd15c890bdec036ccfeba1248417a0b204f49b342ac6727c07756ec9eae

TrojanSpy.Win32.BESTAFERA.ENC

8f2158344f9df9dd011a4e76749e4a8f46a556a4110b796561855c5bbabd766a

TrojanSpy.Win32.BESTAFERA.ENC
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.