Microsoft says it recently detected and stopped a fileless campaign looking to deliver the Astaroth Trojan to unsuspecting victims.
The malware has been around for a couple of years and is known for the use of various fileless techniques to stay undetected on systems. Earlier this year, the threat was observed abusing an Avast process for malicious purposes.
The newly discovered campaign employed a complex attack chain relying on system tools to run the Astaroth backdoor directly in memory. Once executed on the victim’s machine, the malware can steal credentials, keystrokes and other data, and sends the information to the attacker.
“It’s interesting to note that at no point during the attack chain is any file run that’s not a system tool. This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity,” Microsoft notes.
Despite the use of this complex fileless attack chain during the initial access and execution stages, the abuse of known infection techniques allowed Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to detect and foil the campaign.
These techniques include spear-phishing link and shortcut modification, WMIC abuse, XSL script processing, scripting, obfuscated files, Bitsadmin abuse, remote file copy, Certutil abuse, Regsvr32 abuse, execution through module load, and Userinit abuse.
According to Microsoft, fileless malware clearly isn’t invisible and can be detected. In fact, some of the employed fileless techniques may be so unusual and anomalous that they immediately draw attention to the unfolding attack.