Experts at the Microsoft Defender ATP Research Team discovered a fileless malware campaign that is delivering the information stealing Astaroth Trojan.
The malware is able to log the users’ keystrokes, collect information through hooking, access clipboard content, and monitor the
The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software.
The malware campaign uncovered by Microsoft leverages several lifeless techniques and a multi-stage infection process.
“I was doing a standard review of telemetry when I noticed an anomaly from a detection algorithm designed to catch a specific
The attack chain starts with spear-phishing messages containing a malicious link that leads the potential victims to an LNK file.
The payloads downloaded are all Base64-encoded using the legitimate Certutil tool.
All the payloads are Base64-encoded and decoded using the Certutil tool. Two of payloads result in plain DLL files that are loaded using the Regsvr32 tool. Once loaded the DLLs will decrypt and load other files until the final Astaroth Trojan that is injected into the Userinit process.
The penultimate DLL will reflectively load the fifth DLL into memory using process hollowing.
“It’s interesting to note that at no point during the attack chain is any file run that’s not a system tool. This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity,” continues the experts.
Technical details for each infection stage are included in the analysis published by Microsoft.
In February, researchers at Cybereason’s Nocturnus team uncovered another Astaroth Trojan campaign that was exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and drop malicious modules.