New hard-to-detect Astaroth campaigns spotted using fileless execution and living-off-the-land techniques.
Malware writers have found a new way to circumvent your anti-virus software. They are using a technique called "living off the land." This involves using legitimate tools to download code and process the illegal activity completely in the memory of the computer without using files.
The Microsoft Team behind Windows Defender ATP spotted the attacks. A member of the team said they were alerted when a huge and sudden spike in usage of the WMIC tool, "Windows Management Instrumentation Command-Line" tool. WMIC is a powerful tool that complements the existing management and administration utilities and tools. It is a command line shell much like the CMD command.
The sudden spike was indicative of a pattern that occurs during malware campaigns.
If users were careless to download and run this file, it would launch the WMIC tool, and then a plethora of other legitimate Windows tools, one after the other.
The tools would all download additional code and pass their output to one another, executing solely in memory -- in what's called fileless execution -- and without saving any files on disk, making the job of classic antivirus solutions harder, as they would have nothing to file on disk to scan.
What is a .LNK file, these are files that point to the location of an executable file typically located on a hard drive. Your desktop shortcuts are examples of this. However in the case of the malware email, the .LNK file points to a URL on the internet where the malicious file is stored.
The end result of this attack is that the Astaroth trojan is downloaded and run. It is a known info-stealer that can dump credentials for a wide category of apps and uploaded the stolen data to a remote server.
This trojan first appeared in 2018. Earlier this year it was used in malware attacks targeting European and Brazilian users in February, this year.
The next step in the evolution of modern antivirus products is shifting from a classic file signature detection mode of operation to a behavioral-driven approach, where they can also detect "invisible" actions like fileless (in-memory) execution and living-off-the-land techniques where legitimate tools are abused for bad operations.
Be very careful opening emails from people you do not know, especially those containing links to external sites.
To read the full story click on this link;
https://www.zdnet.com/article/microsoft-warns-about-astaroth-malware-campaign/?ftag=TREc64629f&bhid=2219791
In other hacking and malware news;
Sodinokibi ransomware is now using a former Windows zero-day
The Sodinokibi malware uses a former Windows Zero-day vulnerability to carry out its attack on infected hosts.
The vulnerability, a privilege escalation flaw known as CVE-2018-8453, had been patched in the October 2018 Patch Tuesday Microsoft security updates after it had previously been used by a state-sponsored hacking group known as FruityArmor since August 2018.
I know updates can be a pain but with so many ransomware attacks occurring today, it is imperative that you patch/update your systems so they remain safe from attack.
https://www.zdnet.com/article/sodinokibi-ransomware-is-now-using-a-former-windows-zero-day/
'Silence' hackers hit banks in Bangladesh, India, Sri Lanka, and Kyrgyzstan, allegedly stole $3 million from Bangladesh's Dutch Bangla Bank.
In a report shared with ZDNet prior to publication, Group-IB tied the Dutch Bangla Bank incident to a group of hackers known as "Silence."
The group, which ZDNet previously covered in a September 2018 piece, has been active since 2016 and has historically targeted banks in Russia, former Soviet states, and Eastern Europe.
https://www.zdnet.com/article/silence-hackers-hit-banks-in-bangladesh-india-sri-lanka-and-kyrgyzstan/
DFORCE - Intel 8th & 9th Generation computers with Solid State Drives
No comments:
Post a Comment