Microsoft warns of Astaroth fileless Trojan attacks

Microsoft experts warned users about an active malicious campaign to infect computers with Astaroth malware, which is difficult to detect with familiar security solutions.

The Windows Defender ATP development team, a commercial version of the Windows Defender antivirus product, discovered the campaign.

“Our experts suspected something was wrong after the discovery of a sharp surge in the use of the Windows Management Instrumentation Command-line (WMIC) tool”, – says team member Andrea Lelli.

WMIC is a legitimate tool in modern versions of Windows, but a sudden increase in its use clearly indicated a malicious campaign. Looking closed, experts discovered a large-scale operation to send fishing emails with a link to the website containing the .LNK file.

After downloading and opening the file, WMIC and a number of other legitimate Windows tools were launched, which loaded additional code, transferred the data one to another, and executed the code exclusively in memory (the so-called fileless execution). Since no files were saved to the disk, the usual security solutions did not detect the attack.

At the final stage of the attack on the system was downloaded Astaroth malware, which is an infostealer for stealing credentials for a number of applications. The first attacks with its use were discovered in 2018. In February of this year, malware attacked users in Europe and Brazil.

Microsoft experts have fixed a new campaign in May and June. Over 95% of all affected users live in Brazil.

Read also: The new version of the Dridex banker slipping from antiviruses

As noted by Lelly, at any stage of the attack are not used files that would be saved in the system. This type of attack, when only tools that are already present on the system are used, is called “living off the land”. Over the past three years, attacks of this type are being used more and more, forcing manufacturers of antivirus solutions to develop new ways to detect them.

“Using invisible techniques and being actually invisible are two different things. Being invisible may help you for some things, but you should not be under the illusion that you are invincible. The same applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware”, — argues Andrea Lelli.

Additionally, Microsoft expert calls for the use of advanced developments in the field of detection of viruses and malware, until they managed to cause maximum damage.