New Astaroth malware campaign uses fileless technique for execution

• The campaign pushed a large number of emails that contained a malicious link for an LNK file.
• It made use of the WMIC tool to run malicious scripts which would execute payloads in memory.

A new campaign that delivers Astaroth malware through fileless execution has been spotted by Microsoft’s Defender ATP team. It was found that the campaign ran Astaroth directly in memory. The attackers relied on spear-phishing in order to spread this information-stealing malware. Furthermore, they leveraged the Windows Management Instrumentation Command-line (WMIC) tool to run scripts for fileless execution.

The big picture

• In a blog post, Andrea Lelli of the Defender ATP team describes the new campaign in detail which drops Astaroth trojan in Windows machines.
• According to Lelli, the attack chain in the campaign took seven steps to deliver the malware.
• The attack began with a phishing mail that contained a link to an LNK file. Clicking on this file would run a BAT command-line that runs the WMIC tool.
• An XSL file containing an obfuscated JavaScript is then downloaded, which runs the WMIC utility again. This step is repeated while making use of legitimate tools such as Bitsadmin, Certuil, and Regsvr.
• Bitsadmin downloads encoded payloads which in turn are decoded by Certutil. These payloads when executed with Regsvr, download a series of DLL files which includes Astaroth.

Worth noting

Lelli believes that the attackers might deploy other techniques on top of using a living-off-the-land technique for spreading Astaroth.

“The attack chain above shows only the Initial Access and Execution stages. In these stages, the attackers used fileless techniques to attempt to silently install the malware on target devices. Astaroth is a notorious information stealer with many other post-breach capabilities that are not discussed in this blog. Preventing the attack in these stages is critical,” Lelli wrote in the blog.