A new Astaroth Trojan Campaign uncovered by Microsoft

Microsoft Defender ATP Research Team discovered a fileless malware campaign that was spreading the information stealing Astaroth Trojan.

Experts at the Microsoft Defender ATP Research Team discovered a fileless malware campaign that is delivering the information stealing Astaroth Trojan.

The malware is able to log the users’ keystrokes, collect information through hooking, access clipboard content, and monitor the keystate.

The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software. 

The malware campaign uncovered by Microsoft leverages several lifeless techniques and a multi-stage infection process.

“I was doing a standard review of telemetry when I noticed an anomaly from a detection algorithm designed to catch a specific fileless technique.” reads the analysis published by Andrea Lelli from Microsoft. “Telemetry showed a sharp increase in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script (a technique that MITRE refers to XSL Script Processing), indicating a fileless attack.”

The attack chain starts with spear-phishing messages containing a malicious link that leads the potential victims to an LNK file.

Once the victim has double-clicked, “LNK file triggers the execution of the WMIC tool with the “/Format” parameter. Then a JavaScript is downloaded and executed, is used to download payloads by abusing the Bitsadmin tool.

The payloads downloaded are all Base64-encoded using the legitimate Certutil tool.

All the payloads are Base64-encoded and decoded using the Certutil tool. Two of payloads result in plain DLL files that are loaded using the Regsvr32 tool. Once loaded the DLLs will decrypt and load other files until the final Astaroth Trojan that is injected into the Userinit process.

The penultimate DLL will reflectively load the fifth DLL into memory using process hollowing.

“It’s interesting to note that at no point during the attack chain is any file run that’s not a system tool. This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity,” continues the experts.

Technical details for each infection stage are included in the analysis published by Microsoft.

In February, researchers at Cybereason’s Nocturnus team uncovered another Astaroth Trojan campaign that was exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and drop malicious modules.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Astaroth Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]