New Super Stealth Astaroth Malware Records Keystrokes

John Lister's picture

Microsoft has warned users about a complicated but cunning malware attack that might not be caught by all security tools. The "Astaroth" malware doesn't actually exist as a file in its own right.

The main risk to users from Astaroth is that it includes a keylogger. This means it can access everything victims type, including passwords and other sensitive data. That's one of the reasons sites such as online banks often ask users to type specific characters (such as third and eighth) rather than an entire password.

Malware Hides Within Windows

What makes Astaroth so hard to detect is that it uses a technique dubbed "living off the land." It's a sophisticated and complicated approach, but in simple terms the malware doesn't have any executable files. Instead, it runs within legitimate Windows processes. (Source:

That's a big problem for many security tools that work by scanning computers and monitoring downloads to look for files that are either known to be malicious or show suspicious characteristics. Such tools don't usually interfere with Windows processes as this could affect the smooth running of a computer and deter people from using the security tools.

The good news is that other anti-malware techniques can spot Astaroth, including Microsoft Defender ATP. That was previously a commercial product aimed at businesses but is now built into Windows 10 by default.

Dubious Links Distribute Danger

These techniques involve monitoring activity on the computer for signs of something amiss. A Microsoft spokesman said that "Some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would." (Source:

The way the malware gets onto computers in the first place is nothing new: it's spread by bogus emails that encourage users to click on a link to a file. In this case the file is in .LNK format, which is normally used for shortcuts to Windows applications, such as those that appear on a desktop. Once the .lnk file is clicked, it downloads the malware.

What's Your Opinion?

Do you understand how your chosen security tools work? Is it worth the extra demand on resources to have security software that runs continuously rather than just scanning files when necessary? Should email providers and browsers have an option to warn users to think carefully before opening any attachment or following a link in an email?

Rate this article: 
Average: 5 (11 votes)


brigadand's picture

Other than Microsoft Defender ATP are there any other anti-malware programs that protect your system from this?

buzzallnight's picture

"living off the land." mean that this virus takes advantage of programs that m$ put on your computer that you probably never use,

how do we shut them off??????????????????

Dennis Faas's picture

I've looked into this more in depth, and an example of a "living off the land" exploit might involve downloading a script stored on a website (externally), then using a localized program such as powershell to execute said script.

This type of attack is nothing magical except that there is physically no malware-laiden executables (EXEs) running except for the powershell itself, which takes is arguments from the malicious script. Hence this is by definition "living off the land" because it is now considered "stealth" with no EXEs.

We can assume execution of that script via powershell is done using administrative privileges. The only way for this to happen would likely involve the system already being infected with some sort of malware executable, or the user being tricked into social engineering, though this would be difficult at best to pull off.

As for protection, make backups and scan your system for malware regularly, patch the system, etc. Read this article on how to stay protected.