Microsoft Discovers Fileless Astaroth Trojan Campaign

[silversurfer]

Content source

https://www.bleepingcomputer.com/news/security/microsoft-discovers-fileless-astaroth-trojan-campaign/

A fileless malware campaign used by attackers to drop the information stealing Astaroth Trojan into the memory of infected computers was detected by Microsoft Defender ATP Research Team researchers.

The Astaroth Trojan and information stealer is a malware strain capable of stealing sensitive information such as user credentials from its victims using a key logger module, operating system calls interception, and clipboard monitoring.

Astaroth is also known for abusing living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Command-line (WMIC) to stealthily download and install malware payloads in the background.

We recently unearthed a campaign that completely "lived off the land" throughout a complex attack chain that ran the info-stealing backdoor #Astaroth directly in memory. See how #MicrosoftDefenderATP next-gen protection defeated the #fileless attack: https://t.co/c2G53Ll2kf
— Microsoft Security Intelligence (@MsftSecIntel) July 8, 2019​

 

[Windows_Security]

Attack would have failed miserably on my setup.
Step2: block WMIC.exe to run through Software Restriction Policy set by H_C (except for Admins, so elevated run of WMIC.exe is still possible)
Step6: exploit prevention of Code Integrity Guard ( only allow Microsoft signed images to to load.

Benefits of running Microsoft programs only (plus FileZilla for Website uploads en Hemmingway Editor to check ease of reading of content)

Blocking images not signed by Microsoft to run or register will fail those processes to run and will certainly brick your system when you are using third-party security or backup software, so please take the warning serious!

Quickly logging out before I am tarred and feathered, back to anonymity of lurker's legion