Astaroth-Dropper Trojan Hides in Plain Sight

Malware is getting harder to detect. So says a company that wants you to buy its anti-malware product, anyway.

But here’s a fascinating case study: A spear-phishing campaign that uses a complex chain of fileless and living-off-the-land methods to eventually run the Astaroth data-stealing malware.

Look, ma, no files! In today’s SB Blogwatch, we dig the detail.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Underground Tokyo.

Fileless LOtL

What’s the craic? Catalin Cimpanu catalogs the “Astaroth malware campaign”:

 Ongoing malware campaigns … are distributing the Astaroth malware using fileless and living-off-the-land techniques that make it harder for traditional antivirus solutions to spot. … A massive spam operation [is] sending out emails with a link to a website hosting a .LNK shortcut.

If users were careless to download and run this file, it would launch the … Windows Management Instrumentation Command-line (WMIC) … tool, and then a plethora of other legitimate Windows tools, one after the other. [They] would all download additional code and pass their output to one another, executing solely in memory … without saving any files on disk, making the job of classic antivirus solutions harder.

In the end, the attack downloaded and ran the Astaroth trojan, a known info-stealer that can dump credentials for a wide category of apps.

Amazing. Shaun Nichols adds,“Microsoft shines light on Astaroth, a devilishly sneaky strain”:

 Dubbed Astaroth – the same name as the Great Duke of Hell – the software nasty has been in circulation since 2017 and has primarily been used to steal data … through spear-phishing. [But it can] fly under the radar of traditional antivirus products by operating without … an executable.

Vendors have … to rely on their heuristic detection tools. In particular, AV tools need to be closely monitoring the use of WMIC command-line code and applying rules when loading DLL files – such as checking the age of a file and flagging or blocking newly-created DLLs.

Who discovered it? Microsoft’s Andrea Lelli goes “Dismantling a fileless campaign”:

 Fileless attacks run the payload directly in memory or leverage legitimate system tools to run malicious code without having to drop executable files [so] they present challenges to traditional file-based [AV. But] being fileless doesn’t mean being invisible [nor] undetectable.

I was doing a standard review of telemetry when I noticed an anomaly … a sharp increase in the use of the … WMIC tool to run a script … indicating a fileless attack. … The LNK file causes the execution of the WMIC tool with the “/Format” parameter, which allows the download and execution of JavaScript code [which] in turn downloads payloads by abusing the Bitsadmin tool [to fetch two] DLL files. … The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.

At no point during the attack chain is any file run that’s not a system tool. This technique is called living off the land.

[But] abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware.

So how do we protect ourselves against data-stealing malware like Astaroth? This Anonymous Coward suggestifies thuswise:

 Astaroth vacuums up as much personal info as possible which is then sold. More data breaches like Equifax are guaranteed.

The best strategy for individuals is to launch a deliberate misinformation campaign: Create as many bogus accounts as possible and use them. Bad birthdays, bad SS#. Give bad info to every site and service where it isn’t a crime. This is the only tool we consumers have left.

Wait. Pause. jake is confused by the term “fileless”:

 Last time I checked, a .DLL was a file. Not only a file, but a file that can contain executable code.

But Gaius sets him straight:

 A DLL can be downloaded from a remote server, buffered in memory, and be injected into an existing process all without ever touching the disk.

Loading code from the network without ever touching the disk is nothing new. In fact it was one of the major features of Java back in the mid 90’s.

And david 12 expands on the theme:

 Astaroth isn’t actually fileless by any stretch of the imagination. It just uses “fileless” techniques as part of it’s infection process.

It starts with you downloading a link, not an executable. Links are harmless right? They aren’t executables right? They are actual files, and the Astoroth download is a zipped file containing the link, which is a file, but we’ll call it “fileless” because there wasn’t an exe.

It uses other “fileless” techniques, and it downloads other files, and even saves files in the file system, and generally becomes less and less “fileless” the further you go, but a lot of virus protection is at the edge of the system, looking for specific executables or executables that do specific things, and we’ll call this “fileless” because virus scanners might miss it.

Meanwhile, are you thinking what this Anonymous Coward is thinking?

 [Microsoft] can’t secure their OS but they can sell an antivirus package that can? This is truly a clown world.

And Finally:

The Giant Underground Tunnels Protecting Tokyo From Floods

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Mathieu Glachant (cc:by)

Richi Jennings

Featured eBook
Identifying Web Attack Indicators

Identifying Web Attack Indicators

Attackers are always looking for ways into web and mobile applications. The 2019 Verizon Data Breach Investigation Report listed web applications the number ONE vector attackers use when breaching organizations. In this paper, we examine malicious web request patterns for four of the most common web attack methods and show how to gain the context and ... Read More
Signal Sciences

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 147 posts and counting.See all posts by richi