This article is more than 1 year old

Meet the Great Duke of... DLL: Microsoft shines light on Astaroth, a devilishly sneaky strain of fileless malware

DLL or no DLL?

Microsoft has lifted the lid on the inner-workings of a particularly nasty piece of fileless malware that aims to pilfer user data without needing to install software on the victim's machine.

Dubbed Astaroth – the same name as the Great Duke of Hell – the software nasty has been in circulation since 2017 and has primarily been used to steal data from companies in South America and Europe via targeted attacks launched through spear-phishing.

What makes the infection unique, says Microsoft Defender APT research team member Andrea Lelli, is its ability to fly under the radar of traditional antivirus products by operating without ever needing to install an executable on the victim's machine.

"Astaroth is a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, which it exfiltrates and sends to a remote attacker," Lelli explained today.

"The attacker can then use stolen data to try moving laterally across networks, carry out financial theft, or sell victim information in the cybercriminal underground."

Typically, the attack begins when a victim opens a link inside a spear-phishing email. That link, in turn, opens up a shortcut file to a terminal command that downloads and runs JavaScript code. The JavaScript now pulls and runs two DLL files that perform the dirty work of logging and uploading the victim's information while disguising itself as a system process.

This procedure is highly effective against traditional signature-based detection tools because, throughout the process, nothing other than the DLL files are actually downloaded or installed. Thus there is little opportunity to scan or catch the attack.

Hacker

Sneaky 'fileless' malware flung at Israeli targets via booby-trapped Word docs

READ MORE

It is also an approach that has let Astaroth thrive since late 2017 without having to rely on vulnerability exploits or traditional trojan downloaders.

"For traditional, file-centric antivirus solutions, the only window of opportunity to detect this attack may be when the two DLLs are decoded after being downloaded—after all, every executable used in the attack is non-malicious," said Lelli.

"If this were the case, this attack would pose a serious problem: since the DLLs use code obfuscation and are likely to change very rapidly between campaigns, focusing on these DLLs would be a vicious trap."

To catch the malware, Lelli says, Microsoft and other vendors have had to rely on their heuristic detection tools. In particular, AV tools need to be closely monitoring the use of WMIC command-line code and applying rules when loading DLL files - such as checking the age of a file and flagging or blocking newly-created DLLs from running. When you know what you are looking for, Lelli explains, fileless malware isn't particularly hard for newer security tools to catch.

"Being invisible may help you for some things, but you should not be under the illusion that you are invincible. The same applies to fileless malware: abusing fileless techniques does not put malware beyond the reach or visibility of security software," the Redmond security bod writes.

"On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would." ®

More about

TIP US OFF

Send us news


Other stories you might like