Astaroth 'Great Duke Of Hell' Fileless Malware Attack Campaigns Propagate to Spread Threat
Microsoft recently lifted the veil on how one very unpleasant fileless malware that works to steal data without ever having to be installed on a victim's machine – Astaroth.
The recent published report by the Microsoft Research team that opened the lid on the activities of the Astaroth fileless malware forced the threat actors behind it to change their tactics. They ran a new campaign in August with a few notable changes, specifically using Cloudflare Workers.
The new campaign is actively distributing the new Astaroth Trojan variant by abusing the Cloudflare Workers computer platform due to its serverless nature to avoid detection and to block potential automated analysis done by companies. According to Check Point's Marcel Afrahim – a malware researcher who discovered this recent Astaroth variant, workers have a free plan where everyone can sign up and they may get up to a hundred thousand requests daily. Cloudflare Workers are now used by Astaroth operators in their three step infection process, starting with a phishing email campaign that works with their HTML attachment obfuscating a JavaScript code and then linking that to the domain behind the Cloudflare infrastructure. Such a propagation of the threat has raised many red flags as to the ultimate end-goal of the attacks, which has yet to be seen.
Named after a demon of the same name straight from the occult books 'Ars Goetia' and 'The Key of Solomon', said to seduce his victims through vanity and laziness, this malware has been in circulation ever since 2017. Moreover, the threat is dubbed as the 'Great Duke of Hell' malware attack. It was mostly used to steal data from South American and European companies in targeted attacks that used spear phishing as a point of entry.
There is something that makes this specific infection unique, according to Microsoft Defender APT's researcher Andrea Lelli, as it has the ability to stealthily infiltrate under the detection methods of some traditional antivirus programs.
According to Lelli, Astaroth is notorious for information stealing of personal credentials, keylogging and more, data which is then exfiltrated to a remote server. The attackers then use the data for financial theft, selling personal information to other criminals or even moving laterally across networks.
How Astaroth Infects Systems
The attack usually starts when a victim opens up a link inside emails made with spear-phishing in mind – a social engineering tool the attackers use as part of their operations. This kind of scam aims at opening the link, which opens up a shortcut file to terminal commands that end up downloading and running the JavaScript code which makes the infection possible. The script downloads and runs two DLL files that handle the logging and uploading of harvested information, all the while pretending to be legitimate system processes.
The procedure works well against signature-based detection tools, since nothing but the DLL files gets downloaded or installed. This makes it so there is little chance to scan and catch the attack in the process. This approach allowed Astaroth to fly under the radar and thrive online ever since the late days of 2017 without the usual reliance on trojan downloaders or any vulnerability exploits.
Fileless Malware Detection Measures
According to Lelli, the traditional file-centric antivirus solutions have only one chance to detect the attack – during the download of the two DLL files, since the executable used in the attack is considered non-malicious. The DLLs use code obfuscation and they vary between campaigns, which means focusing on detection of those two would be 'a vicious trap', Lelli added.
Microsoft and other vendors had to rely on heuristic detection tools, such as those who closely watch for the use of WMIC command line code, applying the rules when any loading of DLL files happens. Checking the age of the file, blocking newly created DLLs from running and similar tactics allows newer security tools to catch up to fileless malware.