Microsoft Warns About Astaroth Malware Campaign

The Microsoft security team has issued a warning today about ongoing malware campaigns that are distributing the Astaroth malware using fileless and living-off-the-land techniques that make it harder for traditional antivirus solutions to spot the ongoing attacks. From a report: The attacks were detected by the team behind Windows Defender ATP, the commercial version of the company's Windows Defender free antivirus. Andrea Lelli, a member of the Windows Defender ATP team said alarms bells sounded at Microsoft's offices when they detected a huge and sudden spike in usage of the Windows Management Instrumentation Command-line (WMIC) tool. This is a legitimate tool that ships with all modern versions of Windows, but the sudden spike in usage suggested a pattern specific to malware campaigns. When Microsoft looked closer, it discovered a malware campaign that consisted of a massive spam operation that was sending out emails with a link to a website hosting a .LNK shortcut file.

Re: 2019: Year of the Ransomware Desktop

[Anonymous Coward]

heh he said "mission critical" and "Windows" in the same sentence.

Re:

[Anonymous Coward]

It installs a host file generation program that takes 10s of minutes to run but to execute it you have to manually run a stupid GUI.

Lots of jargon

[Anonymous Coward]

Bottom line: redmond still sucks at writing software. News at 11.

Re:

[Mashiki]

Read the original source instead of the not even synopsis level material pumped out by zdnet. This has much more information [microsoft.com], and will likely be more useful especially if you're in the various IT related areas. It's actually rather interesting, because not only is the malware obfuscating what it's attempting to do. But it's trying to look legitimate while it prepares, installs and executes it's payload.

Looking, and seeming legitimate is the same method you use when trying to go through human-layer securi

Not real time as such...

[YuppieScum]

...but if they batch it up, say, once every hour after boot-up (smaller lumps, so less noticeable overall), for every one of the however-many millions of Win10 boxes are out there, then they'll something fairly close, with just a bit of lag.

Disturbing.

[Major_Disorder]

So MS knows what software you are running, and what links it might be following? While this use of the information is worthwhile, I shudder to think of the invasion of privacy.

Re:

[drainbramage]

Free???
Pictures or it didn't happen.

Re:

[Anonymous Coward]

This is from the ATP team. The ATP product is not free and is not on all machines. Perhaps they only know about their installed base that is paying them to track these things?

Re:

[bloodhawk]

ummm yeah. If you pay someone to monitor your devices (i.e. ATP) then I would actually be pretty pissed if they couldn't see this, it is the whole fucking point of buying the service.

How can they even sell an AV product?

[Anonymous Coward]

They can't secure their OS but they can sell an antivirus package that can? This is truly a clown world...

Re:

[Skuld-Chan]

Spoken like someone who doesn't use windows - the product for the last 10+ years comes with Anti-Virus out of the box.

Re:

[vbdasc]

No, actually it's quite logical, IMHO. They sell an OS with all functionality enabled, and then they sell their AV product which cripples the OS, disabling and/or slowing down one or another functionality, in exchange for some protection. You choose what to buy. Some people just don't need a crippled OS.

Re:

[thegarbz]

Yeah it is a clown world. Clowns who don't seem to understand that anti-malware and OS functions are necessarily different and independent. MS could stop malware tomorrow and secure their OS, but no thanks I don't want a walled garden complete with being unable to do privileged tasks on my own computer.

So I accept the fact that I run an OS that allows the user to remain in control, even if that control is more than enough rope with which to hang themselves.

Re:

[AmiMoJo]

You have a choice:

An OS that lets you do mostly what you want but requires you to be vigilant because people will try to trick you into doing what they want, or exploit flaws in the software you run to attack your computer.

OR

An OS that is heavily locked down, where you can only take actions sanctioned by the developer. Very secure but also very limited.

Take your pick.

How are people still this stupid?

[MonkeyBob]

Rule #1 to live by: Don't click on anything in an email, from any source.

Re:

[Falos]

One might argue things went /too/ well, as in efforts towards ease and low fences (as in efforts driven because financial gains). I just click a thing and the rest magically happens. Auto-update, auto-connect, auto-everything. Naturally dependency breeds. The helpless become prey.

Credit to Microsoft

[OneHundredAndTen]

If they had built a reasonably secure system, how many people that today are lawfully employed would be out of a job?

Not liking it one bit

[AndyKron]

Using a computer today is like pissing in the middle of the street.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Vaibhav Dalvi]

You will be when that computer is in the car you are currently driving!