Tech giant Microsoft recently issued a warning regarding ongoing infection campaigns that distribute the Astaroth malware. The company's security team added that some of these campaigns take advantage of file less and living-off-the-land techniques in order to infect users. By employing these techniques, the perpetrators are extremely hard to track and render anti-virus software completely useless.
The perceived attacks were first detected and reported by the team behind Windows Defender ATP, Microsoft's commercial version of its free antivirus software Windows Defender. A member of the Windows Defender ATP team said that the first waves of attacks were targeted towards Microsoft's offices. The team tasked of monitoring these attacks reported that there was a huge spike in the usage of Windows Management Instrumentation Command-line tool or WMIC.
WMIC is a tool packaged in all modern versions of the Windows operating system. However, Microsoft's security team that the huge spike in usage suggests that some malicious users are using the tool in order to launch malware campaigns.
Open closer inspection, Microsoft discovered that a systemic malware distribution campaign was launched against its system. Among the techniques employed by the perpetrators include massive spambot operation that sends out emails containing a link that directs users to a website that hosts an .LNK shortcut file.
Unsuspecting users who opened this file will inadvertently launch a number of Windows tools, one of which is the WMIC tool, one after the other. Once launched, the tools are then programmed to download additional code whose output is being passed to one another. What separate this attack from usual malware execution is that it is being executed solely in a computer's RAM or memory. This is what many security experts call as fileless execution, in which no file is being saved on the host's hard drive. By employing this tactic, the malware is totally undetectable by common anti-virus software since there is virtually nothing to scan.
At the end of the code execution, the attack will download and execute the Astaroth malware. This malware is known for stealing user information, and it is capable of dumping user credentials. It can then upload this stolen information into a remote server.
This is not the first time that this type of attack execution was employed against a major company or institution. The Astaroth malware was first detected in 2018. Since its detection, the malware has been used to target thousands of users in Europe and Brazil.
