Astaroth malware is back: Microsoft's Windows 10 warning
Latest Astaroth living-off-the-land attacks are even more invisible but not less observable. The Malware group has changed its living-off-the-land tactics after Microsoft exposed its work.
Astaroth came back to life in early February sporting significant changes in its attack chain. Astaroth is an info-stealing malware that employs multiple fileless techniques and abuses various legitimate processes to attempt running undetected on compromised machines. The updated attack chain, which we started seeing in late 2019, maintains Astaroth’s complex, multi-component nature and continues its pattern of detection evasion.
When we first blogged about Astaroth’s methods, we noted how it completely lived off the land to avoid detection: only system tools that are already existing on the machine are ever executed. In fact, it was an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC) that prompted our investigation and eventually exposed the Astaroth campaign.
Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detections. Instead, the attackers introduced new techniques that make the attack chain even stealthier:
Abusing Alternate Data Streams (ADS) to hide malicious payloads
Abusing the legitimate process ExtExport.exe, a highly uncommon attack vector, to load the payload
Astaroth exemplifies how living-off-the-land techniques have become standard components of today’s attacks intent on evading security solutions. However, as we mentioned in our previous blog on Astaroth, fileless threats are very much observable. These threats still leave a great deal of memory footprint that can be inspected and blocked as they happen. Next-generation protection and behavioral containment and blocking capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) lead the charge in exposing threats like Astaroth.
Geographic distribution of Astaroth campaigns this year, with majority of encounters recorded in Brazil
In this blog, we’ll share our technical analysis of the revamped Astaroth attack chain and demonstrate how specific Microsoft technologies tackle the multiple advanced components of the attack.
Dismantling the new Astaroth attack chain
The attackers were careful to ensure the updates didn’t make Astaroth easier to detect; on the contrary, the updates only make Astaroth’s activities even more invisible.
One of the most significant updates is the use of Alternate Data Stream (ADS), which Astaroth abuses at several stages to perform various activities. ADS is a file attribute that allows a user to attach data to an existing file. The stream data and its size are not visible in File Explorer, so attacks abuse this feature to hide malicious code in plain sight.
Figure 2. Astaroth attack chain 2020
In the case of Astaroth, attackers hide binary data inside the ADS of the file desktop.ini, without changing the file size. By doing this, the attackers create a haven for the payloads, which are read and decrypted on the fly.