David Baxter PhD
Late Founder
New Super Stealth Astaroth Malware Records Keystrokes
by John Lister, Infopackets.com
July 11, 2019
Microsoft has warned users about a complicated but cunning malware attack that might not be caught by all security tools. The "Astaroth" malware doesn't actually exist as a file in its own right.
The main risk to users from Astaroth is that it includes a keylogger. This means it can access everything victims type, including passwords and other sensitive data. That's one of the reasons sites such as online banks often ask users to type specific characters (such as third and eighth) rather than an entire password.
Malware Hides Within Windows
What makes Astaroth so hard to detect is that it uses a technique dubbed "living off the land." It's a sophisticated and complicated approach, but in simple terms the malware doesn't have any executable files. Instead, it runs within legitimate Windows processes. (Source: medium.com)
That's a big problem for many security tools that work by scanning computers and monitoring downloads to look for files that are either known to be malicious or show suspicious characteristics. Such tools don't usually interfere with Windows processes as this could affect the smooth running of a computer and deter people from using the security tools.
The good news is that other anti-malware techniques can spot Astaroth, including Microsoft Defender ATP. That was previously a commercial product aimed at businesses but is now built into Windows 10 by default.
Dubious Links Distribute Danger
These techniques involve monitoring activity on the computer for signs of something amiss. A Microsoft spokesman said that "Some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would." (Source: theinquirer.net)
The way the malware gets onto computers in the first place is nothing new: it's spread by bogus emails that encourage users to click on a link to a file. In this case the file is in .LNK format, which is normally used for shortcuts to Windows applications, such as those that appear on a desktop. Once the .lnk file is clicked, it downloads the malware.
by John Lister, Infopackets.com
July 11, 2019
Microsoft has warned users about a complicated but cunning malware attack that might not be caught by all security tools. The "Astaroth" malware doesn't actually exist as a file in its own right.
The main risk to users from Astaroth is that it includes a keylogger. This means it can access everything victims type, including passwords and other sensitive data. That's one of the reasons sites such as online banks often ask users to type specific characters (such as third and eighth) rather than an entire password.
Malware Hides Within Windows
What makes Astaroth so hard to detect is that it uses a technique dubbed "living off the land." It's a sophisticated and complicated approach, but in simple terms the malware doesn't have any executable files. Instead, it runs within legitimate Windows processes. (Source: medium.com)
That's a big problem for many security tools that work by scanning computers and monitoring downloads to look for files that are either known to be malicious or show suspicious characteristics. Such tools don't usually interfere with Windows processes as this could affect the smooth running of a computer and deter people from using the security tools.
The good news is that other anti-malware techniques can spot Astaroth, including Microsoft Defender ATP. That was previously a commercial product aimed at businesses but is now built into Windows 10 by default.
Dubious Links Distribute Danger
These techniques involve monitoring activity on the computer for signs of something amiss. A Microsoft spokesman said that "Some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would." (Source: theinquirer.net)
The way the malware gets onto computers in the first place is nothing new: it's spread by bogus emails that encourage users to click on a link to a file. In this case the file is in .LNK format, which is normally used for shortcuts to Windows applications, such as those that appear on a desktop. Once the .lnk file is clicked, it downloads the malware.
