Microsoft’s Defender ATP Research Team yesterday revealed its discovery of a late-spring, fileless malware campaign that used "living-off-the-land" techniques to infected victims with information-stealing Astaroth backdoor.
The attackers behind this particular campaign abused a multiple of legitimate services in order to deliver the final payload, including the Windows Management Instrumentation Command-line tool (WMIC), the BITSAdmin command-line tool, the Certutil Certificate Services command-tool, the Regsvr32 command-line utility and the Userinit system tool.
"It's interesting to note that at no point during the attack chain is any file run that's not a system tool," remarked Andrew, Lelli, a member of the Defender ATP Research Team, in a company blog post. "In other words they [the attackers] use fileless techniques to silently install the malware on target devices."
According to Microsoft's telemetry, the campaign commenced on May 19 and carried on into mid-June, with at least four significant spikes in activity. The two biggest surges by far took place between May 26 and June 1, and between June 2 and June 6.
The attacks would begin with a spear phishing email containing a malicious link to a ZIP archive file holding an LNK file with a misleading name such as "certificate," "open document," or "order."
If opened, the file runs a BAT command-line that, in turn, runs WMIC. WMIC then downloads and runs an obfuscated XSL file that, in circular fashion, runs WMIC a second time. WMIC then downloads another obfuscated XSL file. At this point, the malware uses BITSadmin to download additional payloads, which are decoded by abusing Certutil. One of these payloads, a DLL file, is then run within the context of the Regsvr32 tool.
"The newly loaded DLL reads and decrypts the file falxconxrenwgx.gif into a DLL," Lelli's blog post continues. "It runs the system tool userinit.exe into which it injects the decrypted DLL. The file falxconxrenwgx.gif is again a proxy that reads, decrypts, and reflectively loads the DLL falxconxrenwg.gif. This last DLL is the malicious info stealer known as Astaroth."
Discovered in 2017 and named after the "Great Duke of Hell," the malware has historically been linked to campaigns targeting companies in Europe and Brazil. Its abuse of legitimate tools such as WMIC and BITSAdmin has been chronicled before, including in this Cybereason report from February 2019.