Microsoft Warns of Hard-to-Spot Fileless Malware, “Astaroth”

Astaroth Featured

Recently, Microsoft went into red alert after Windows came under attack from malware. The antagonist this time was a strain of fileless malware called Astaroth. We’ve covered fileless malware in the past, so be sure to study up if you’re not sure what that means. In essence, it’s when malware lives within the RAM of a computer rather than its filesystem, making it harder to detect.

Let’s explore why Microsoft is up in arms about Astaroth, as well as what you should do to protect yourself.

How Does Astaroth Spread?

Astaroth Email

Astaroth manages to get around by using an .LNK file. This file is uploaded to a website, then a link to the website is sent around in an email.

If someone clicks the link, it activates the .LNK file to run in Windows. This sends some instructions to the Windows Management Instrumentation Command-line (WMIC) tool. This is a genuine program within Windows itself, so it skirts under the antivirus during execution.

Astaroth then uses its guise under WMIC to force it to download and run all the programs that Astaroth needs to do its job. Once it has fully assembled the malware, the attack goes off.

While the Astaroth does download tools to do its job, they’re all legitimate system tools that Windows uses natively. As such, it makes it harder for an antivirus to detect it, as the attack uses key Windows processes against itself. This is why it’s called a “fileless” attack, as no foreign files are being downloaded and saved.

This method of attack also has a larger category assigned to it: a “Living-off-the-Land” attack. This is because the virus isn’t technically introducing any new agents into the system; it’s simply using what is already there to download and execute the payload.

What Does Astaroth Do?

Astaroth Grief

Astaroth’s main goal is to harvest as much information as it can. It performs this through several attack vectors. A keylogger tracks everything the user is typing, while the clipboard is scanned for sensitive information. Astaroth will also force apps to dump information about themselves.

This is generally how most malware acts these days. Viruses and malware have moved away from doing damage and instead choose to perform actions that either harvest data or make money for the developers. Astaroth is a severe example of this, as its fileless installation and multiple detection methods make it a force to be reckoned with.

How to Avoid this Attack

Astaroth Shield

Fortunately, while this tactic makes it hard for an antivirus to pick up on the attack, the actual initial vector is easy to spot by human eyes. Always be careful with links that you click in emails, especially ones sent from people who you’ve never heard from before.

Fileless Foes

The stealthy nature of fileless malware makes them a serious threat, even for people with antiviruses installed. The latest Astaroth wave has shown just how devastating fileless malware can get. Now you know what it is, what it can do, and how to avoid an infection.

Does fileless malware worry you? Let us know below.

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox