EXECUTIVE SUMMARY:

Invaders used to attack under the cloak of darkness. Now they’re invisible at any hour of the day or night.

The Microsoft Defender Advanced Threat Protection Research Team recently announced that Windows users may be targeted by Astaroth malware, which takes advantage of fileless transfers and living-off-the-land techniques.

Microsoft took notice of the attack after recognizing a spike in the usage of the Windows Management Instrumentation Command-line (WMIC) tool. It is the weaponization of this tool that makes the attack unique.

Image courtesy of ZDNet.

Dissemination and execution of the Astaroth malware occurs via Windows LOLBins. “To an average person, this activity can seem like a legitimate Windows activity….because it’s being executed by Windows processes,” says an expert in the field.

To initiate the attack chain, a victim must still click on a malicious link, however, plenty of people routinely fall prey to these kinds of schemes. To steal login credentials, the malware tracks users’ keystrokes, among employing other insidious methodologies. Once the malware lifts information from the computer, it can be uploaded to a remote server and used in nefarious ways.

Initially discovered in 2017, this malware has dogged European and Brazilian companies for two years.

“Its abuse of legitimate tools such as WMIC and BITSAdmin has been chronicled before, including in this Cybereason report from February 2019,” reports SCMagazine.

For obvious reasons, the malware has received an alternate name, the ‘Great Duke of Hell.’

Insure that your computers are patched and updated, and that your business has the armor it needs to find and defeat fileless malware.

For more on the technical details of this story, visit ZDNet.