A malware group that goes by the name of ‘Astaroth’ has re-emerged stronger and stealthier than before. This group has been known for exploiting Microsoft Windows tools to further the attack.
Microsoft had gotten aware of these methods and exposed the malware group and its “living-off-the-land” tactics. But the malware resurfaced with a hike in activity and better techniques.
Reportedly, the Windows Management Instrumentation Command-line (WMIC) is the built-in tool that got used the last time as was spotted by the Windows Defender ATP.
Per sources, the analysis done by Microsoft led to the discovery of a spam operation that spread emails with links to websites hosting a “.LNK” shortcut file which would instruct the WMIC and other Windows tools to run “fileless” malware in the memory well out of the reach of the anti-malware.
Sources indicate that having learnt from mistakes, Astaroth now entirely dodges the use of the WMIC. January and February showed a rise in activity.
According to sources, the new styled campaign still commences with a spam email comprising of a malicious website hosting link, LNK file but it the new version it employs a file attribute, “Alternate Data Streams” (ADS), that lets the attacker clip data to a file that already exists so that hiding malicious payloads gets easier.
Per source reports, the first step of the campaign which is a spam email reads, “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The link is an archive file marked as, “Arquivo_PDF_.zip”.
It manipulates the ExtExport.exe to load the payload which per researchers is a valid process and an extre ..
Support the originator by clicking the read the rest link below.
