Microsoft Warns of Spike in Hard to Spot Info-Stealer Astaroth Fileless Malware Campaign

July 2019

The notorious information-stealing malware features a key logger module as well as capabilities to intercept operating system calls and monitor the clipboard. Astaroth’s ultimate goal is to steal sensitive information such as keystrokes, credit card numbers and credentials, which it exfiltrates and uses to try moving laterally across networks, carry out financial theft or sell victim information on the dark web. It is difficult for antivirus and other security software to detect the attacks, both because the malware resides solely in memory (meaning no file is saved on the hard drive throughout the infection operation), and because the perpetrators are utilising ‘living off the land techniques’ to spread the infection.

What is Living off the Land and Fileless Malware?

The concept of Living off the Land, where malicious actors take advantage of default applications to mask their malicious activity and operate stealthily in target systems, is not new but has been a growing trend on the cyber security landscape in recent times.

Legitimate tools that are often exploited by cyber criminals for Living off the Land attacks include:

  • PowerShell scripts
  • VB scripts
  • WMI
  • PsExec
  • Mimikatz

As well as allowing attackers to remain hidden in a sea of legitimate processes, using Living off the Land tactics means that it is often difficult for investigators to determine who is behind malicious activity if they do discover it. Fileless attacks were first discovered in the wild in the early 2000s and are a subset of Living off the Land attacks that remains popular because it has low observable characteristics and evades common security methods.

Initial infection with fileless attacks usually involves one of the below attack vectors:

Physical Transfer

A user connects an infected device or media into a machine.

Social Engineering (Phishing)

A user interacts with a link to a malicious website in an email or document.

Web Application

A malicious actor leverages a weakness in a website to inject and execute code on any user that happens to visit the website.

While this is typical of malware attacks also, in a fileless attack, the payload will not create files on the devices hard drive but reside only in memory. The next stage of attack varies but often includes attempting to create entries in the device’s registry for persistence or attempting to load commonly used processes such as PowerShell or Windows Management Instrumentation (WMI). In fact, this is how Microsoft spotted the Astaroth campaign; their telemetry showed noticeable spikes in the use of the WMC tool to run a script.

Figure 1: Windows Defender Antivirus telemetry displays a sudden increase in suspisiouc activity.

Recent Astaroth Malware Campaign

Astaroth was first spotted in 2018 by Cybereason stealing information from European and Brazilian targets. Cofense’s Phishing Defense Center (PDC) also spotted a malspam campaign distributing Astaroth in September 2018 and exclusively targeting South American victims, with around 8,000 machines potentially compromised within a single week of attacks.

More recently, it has been identified by Microsoft Defender ATP Research Team in May and June this year after detecting an abrupt increase in the use of the Windows Management Instrumentation Command-line (WMIC) tool.

Analysis of Infection

A detailed analysis by security experts reveals the campaign sent out spam phishing emails with a link to a malicious .LNK shortcut file. Running the .LNK file causes the execution of the legitimate WMIC tool with the “/Format” parameter, which allows the download and execution of JavaScript code. The JavaScript code, in turn, downloads payloads by abusing the Bitsadmin tool. Finally, Astaroth is downloaded and run on the system, dumping credentials for a wide variety of apps and also uploading the stolen information to a remote command-and-control centre.

At no point during the attack chain is any file run that’s not a system tool. Instead, it entirely relies on system tools and commands during its entire attack chain to masquerade as regular activity.

Figure 2:  Astaroth ‘living off the land’ attack chain showing multiple legitimate tools abused.

Shane Shook, Principal Advisor to the Board at Secrutiny, said: “If it is a keylogger and password/info stealer then it is what we call a ‘harvester’. Those are mostly used by cyber criminals not nation state actors; however they can serve dual purposes as some countries contract the target ‘development’ out to botmasters or ‘sub contractors’ who are then allowed to make their money off of the stolen credentials and financially sensitive information.

“In any case that type of utility is not a tool for objective success in a targeted campaign. It is rather a tool used in an interval to collect information so that others can develop the compromise opportunity and utilise the stolen details to achieve their objectives – usually (today) by living off the land and like a native.

“The most interesting thing about it is that keyloggers had largely fallen away due to AI and next gen AV capabilities to detect them. The way that these are resident within memory space of protected processes prevents such protection tools from detecting or intercepting them.”

Mitigation Steps Against Fileless and Living off the Land Attacks Like Asaroth

Being fileless doesn’t mean the malware is invisible or undetectable: “some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way a bag of money moving by itself would,” said Andrea Lelli, a member of the Windows Defender ATP team.

Therefore, to minimise the risk of these sophisticated attacks, it is critical for organisations to have a clear understanding of their environment so malicious activity can be swiftly detected and mitigated.

Patch management, including staying up-to-date with vendor-issued security advisories and application releases.

A layered IT defence based on security tools, people, and processes will yield the most effective result by ensuring that an attacker who penetrates one layer of defence will be stopped by a subsequent layer.

Least privilege practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities and disable non-essential applications and services.

Log management, including regular reviews of system logs and server logs to identify deviations from the norm.

Regular Audits of your IT hygiene and security posture to maintain good hygiene. 

Next-generation antivirus with behavioural-driven approaches, where they can detect covert actions like fileless execution and Living off the Land techniques.

Check Out Our Other Recent Posts >