Astaroth, a group that uses legitimate Windows tools to spread malware, has retooled after Microsoft drew attention to its living-off-the-land techniques last July. The group in February stepped up its activity with even stealthier methods.
Last year the Windows Defender ATP team detected a huge spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool, which is built in to Windows.
Microsoft's investigation found a major spam operation spreading email with a link to a website hosting a .LNK shortcut file. If a recipient downloaded and ran the file, it would launch WMIC and several other Windows tools to download and run fileless malware in memory, below the view of traditional antivirus.
"Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detections," Hardik Suri of the Microsoft Defender ATP Research Team said in a new update.
Microsoft Defender ATP data shows that Astaroth campaigns trickled out over January followed by three massive spikes in activity during February.
While the campaign still begins with a spam email containing a link to a website hosting a malicious .LNK file, Astaroth is now using Alternate Data Streams (ADS) – a file attribute that allows the attacker to attach data to an existing file – to hide malicious payloads.
To load the payload, it's abusing ExtExport.exe, which Suri explains is a legitimate process and a "highly uncommon attack vector".
According to Suri, these new techniques make the fileless malware "even stealthier".
For example, using ADS allows stream data to remain invisible in File Explorer, and in this case Astaroth reads and decrypts several plugins from ADS streams in desktop.ini that allow Astaroth to steal email and browser passwords as well as find and disable installed security software.
The plugins are the NirSoft MailPassView tool for recovering email client passwords and the NirSoft WebBrowserPassView tool for recovering passwords from browsers.
Another legitimate tool it abuses is BITSAdmin, a command-line tool for admins to create download or upload jobs and monitor their progress. In this case, it's used to download encrypted payloads from a command-and-control server.
Although there have been Astaroth campaigns in the US, Europe, and Asia, the vast majority of attacks this year are aimed at Windows users in Brazil, according to Microsoft.
Hence, the initial spam email is written in Portuguese but translates to: "Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes". The link an archive file labeled, Arquivo_PDF_<date>.zip.