Astaroth Malware Infects Systems Using Legitimate Tools Only

Delaware, USA – July 9, 2019 – Microsoft admonishes of ongoing campaign spreading fileless malware capable of stealing credentials and clipboard data. The attacks started in mid-May, and most of the campaign targets are located in Brazil. Experts from Microsoft Defender ATP Research Team discovered suspicious surges in the use of the Windows Management Instrumentation Command-line and began an investigation. Adversaries send spear-phishing emails containing a link to LNK file which, if executed, abuses living-off-the-land binaries to install Astaroth malware. The file uses the WMIC tool to load and run Javascript, which downloads Base64-encoded payloads with the help of the Bitsadmin tool. Payloads are decoded with the Certutil tool into DLL files that are loaded in memory abusing Regsvr32 to inject final payload into the Userinit process.
Unlike past campaigns, files are not saved to the attacked system during the infection process, so it is rather difficult to detect infostealer with traditional security solutions. In February campaign distributing Astaroth malware, attackers misused legitimate binaries of security solutions to load its modules.

Rules to detect infection process
Suspicious Certutil Command by Florian Roth, juju4, keepwatch:
Certutil.exe execution via Command Line or PowerShell by Eugene Nechiporenko, SOC Prime:
Bitsadmin Download (Sysmon) by Michael Haag: