Fileless Malware? Microsoft Pops the Hood on Astaroth

The Microsoft Defender Advanced Threat Protection Research Team have released a warning to all Windows users informing them that a notorious malware has resurfaced and has begun to spread once again. This malware, named Astaroth (The Great Duke of Hell), steals user credentials without ever needing to install malicious software.

What makes this malware so notorious is not just that it deploys keyloggers and monitors the clipboard, aiding in its ability to steal login credentials, instead it does all this without downloading any executable file onto the user’s machine. The attack begins when the user opens a link within a phishing email. The link, unbeknownst to the user, opens a shortcut file which launches a terminal command that downloads and runs JavaScript code. From there the JavaScript pulls and runs two DLL files which do the dirty work of keylogging the user’s information and uploading it to the remote attacker. It does this entire process without the user ever knowing it is going on, raising serious concerns for businesses and personal machines.

To stop the Malware, Anti-Virus programs need closely monitor how WMIC command-line code, applying rules to such code when necessary. This includes regularly checking the age of the files being called and flagging or completely blocking newly created DLL files. However, Microsoft’s anti-virus, as well as other anti-virus programs, have been updated to watch for such occurrences.

Nevertheless, it is crucial that you remain cautious when online. Malware like this, even though modern anti-virus has been updated to watch for these suspicious actions, is not full proof. You should never look at your anti-virus as being the first line of defense; that what you are! If you are worried that an email may be a phishing scam, the chances are that it is. Always verify with the sender before you click on any links or download any files, and you will ensure that your computer and data remains safe!

If you are worried that your business may be vulnerable to cyber attacks, contact Hammett Technologies! We use only the latest cybersecurity technology to ensure that your data is always safe. To find out more about what we can do to assist your company, click here!