Astaroth malware is back. This time it's even stealthier

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055
Astaroth, a group that uses legitimate Windows tools to spread malware, has retooled after Microsoft drew attention to its living-off-the-land techniques last July. The group in February stepped up its activity with even stealthier methods.

Last year the Windows Defender ATP team detected a huge spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool, which is built in to Windows.

Microsoft's investigation found a major spam operation spreading email with a link to a website hosting a .LNK shortcut file. If a recipient downloaded and ran the file, it would launch WMIC and several other Windows tools to download and run fileless malware in memory, below the view of traditional antivirus.

"Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detections," Hardik Suri of the Microsoft Defender ATP Research Team said in a new update.

Microsoft Defender ATP data shows that Astaroth campaigns trickled out over January followed by three massive spikes in activity during February.

While the campaign still begins with a spam email containing a link to a website hosting a malicious .LNK file, Astaroth is now using Alternate Data Streams (ADS) – a file attribute that allows the attacker to attach data to an existing file – to hide malicious payloads.
To load the payload, it's abusing ExtExport.exe, which Suri explains is a legitimate process and a "highly uncommon attack vector".

According to Suri, these new techniques make the fileless malware "even stealthier".
For example, using ADS allows stream data to remain invisible in File Explorer, and in this case Astaroth reads and decrypts several plugins from ADS streams in desktop.ini that allow Astaroth to steal email and browser passwords as well as find and disable installed security software.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top