Astaroth: Arming Yourself Against Fileless Malware Attacks

DANIEL MILLER on July 25, 2019 | 724

It’s been all over the news: Microsoft has issued a warning about the latest villain in the world of cybersecurity – a fileless malware campaign called Astaroth. Like its namesake, the Great Duke of Hell, there’s something truly hellish about this campaign, which uses “Living off the Land” and fileless malware techniques to evade detection.

What is fileless malware?

When traditional malware infects a device, it leaves malicious files or folders on the hard drive. However, fileless malware runs only in a computer’s RAM, leaving no trace of anything suspicious on the hard drive. As a type of “living-off-the-land” attack, fileless malware doesn’t download anything new to the user device and leaves no footprint behind. Instead, it uses pre-existing tools, and injects the malicious code into genuine system processes. Even to an experienced user, analyzing the list of running system processes wouldn’t raise a red flag. These attacks can evade detection by many antivirus and antimalware solutions, which rely on scanning and detecting malicious files or foreign processes, making fileless attacks a particularly venerable threat.

Astaroth’s weapons of choice: spear-phishing + command-line tools

Astaroth typically finds its way into organizational networks through a spear-phishing attack. The targeted users receive emails with a malicious link to a website hosting a Microsoft shortcut (.LNK) file. When the link is clicked, the LNK file sends instructions to a common command-line tool, such as WMIC, Userinit, or Regsvr32. These tools can be found on most Windows machines, and allow the running code to disguise itself as a standard Windows process. In reality, this wolf in sheep’s clothing is executing a series of steps to assemble all the necessary ingredients for a truly Hellish brew, culminating with the injection of the Astaroth Trojan itself.

Astaroth is designed to harvest valuable data such as user credentials, uploading them to a remote server and selling them to cybercriminals or using them to carry out fraudulent financial transactions. Astaroth uses a few attack vectors to steal information – these include forcing apps to release data, monitoring the clipboard for valuable copied information, and using keyloggers to record user keyboard input. The damage caused by malware like Astaroth can be crippling, with the average data breach costing the target organization millions of dollars in both direct and indirect costs.

An important message from the Microsoft security team

So, how was the Astaroth campaign discovered? Andrea Lelli, from the Microsoft security team, described how a sudden spike in the usage of WMIC (the Windows Management Instrumentation Command-line) lead to uncovering the malicious script behind Astaroth’s deployment. In the announcement, Lelli expressed the importance of using sophisticated security solutions that can defend against fileless and living-off-the-land techniques.

Faced with Astaroth and other fileless threats, it’s clear that traditional detection-based solutions are inadequate for efficient endpoint protection.

Keeping fileless threats at bay

So, what steps can you take to prevent a “fileless” threat like Astaroth from gaining a foothold in your organization? As many organizations have already come to realize, effective cyber security is all about layers. Here are the critical components to combat the next Astaroth-like attack:

  1. Provide employee education
    Human error is a common cause of data breaches and malware infections. Even if you have the right tools in place, users could give hackers access to your network. Ensure all employees undergo rigorous cybersecurity awareness training and know how to recognize phishing attempts and other socially engineered attacks.
  2. Keep software updated (patches and updates)
    Many attackers rely on system vulnerabilities – keeping vulnerabilities patched and all software up to date (especially command line tools like PowerShell) is a critical step in network protection against fileless malware.
  3. Disable unnecessary tools
    If you don’t use it – lose it. Unnecessary admin tools give fileless malware an easy way in. Try and use system admin tools as little as possible, disabling anything that remains inactive.
  4. Implement strict access controls
    To prevent fileless malware like the Astaroth Trojan from stealing credentials, have strict access controls in pace to protect credentials from non-authorized network users. Use two-step verification, antivirus and firewall solutions, and zero trust policies to ensure users only have privileges to access exactly what they need.
  5. Carry out continuous monitoring
    Scanning files for malicious code as soon as they reached your network used to be enough. Now, with fileless malware, processes associated with vulnerable programs, like command line tools, must be continuously monitored to detect the presence of malicious scripts or activity.
  6. Isolate sensitive systems and data from the Wild Web
    Remote Browser Isolation (RBI) solutions like Ericom Shield provide protection from web-based threats, including fileless threats.
    Instead of detecting malicious files, RBI executes all active web code (malicious or otherwise) in a virtual, disposable container outside of the organizational network. A malicious script like the one used in the Astaroth campaign will never even reach the organizational network, preventing the Astaroth Trojan from infecting the endpoint. For the user, life carries as normal – the resulting interactive stream of media creates a seamless browsing experience. Once the browsing session is over, the container is destroyed along with anything in it. In addition, Ericom Shield can be configured to block suspected phishing sites or load them in read-only mode, so users can’t enter their credentials. To stop a fileless threat like Astaroth, RBI is an invaluable tool.

Armed against the fileless threat

Fileless malware accounted for 35% of all cyberattacks in 2018. Like Astaroth, all of these threats were both dangerous and hard to detect. To keep your organization safe, don’t rely on traditional security tools - take an all-round approach to cybersecurity, ensuring protection from even zero-day threats through a mixture of education and controls, continuous monitoring, and advanced security solutions like RBI.

Author | 40 Blog Posts

Daniel Miller

Senior Director of Product Marketing | Ericom Software

Recommended Articles