InfoSec Blog - Fileless Malware: The Rise of Astaroth

Decorative image

July 26, 2019

Although, we have known about fileless malware since the early 2000’s it is now becoming more of a hot topic thanks to a surge of new campaigns using the Astaroth malware. Now I understand that the previous sentence may have you feeling lost and asking questions like:

  • What is fileless malware?
  • How does it work?
  • How can I prevent it?

Unmasking this stealthy and unforgiving type of malware is the goal of this blog post.  That being said, here is a definition of fileless malware from Wikipedia.com:

“Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM.”

Put into simpler terms, this malware can live on your machine without your permission by residing in temporary memory and using trusted Windows programs and scripting languages to steal any information it wants. Differences in fileless and traditional malware, although few, are significant as traditional malware can easily be detected by most anti-malware programs, whereas fileless malware cannot be found as easy due to its ability to look and act like normal processes. As bad as this sounds there are some steps that you can be take to protect yourself from these attacks.

 

How to Prevent Fileless Malware

 

The first step to stopping these attacks is learning how they are spread. Attack vectors consist of:

  • Physical transfers (USB or another physical media device)
  • Email phishing (infected links or attachments)
  • Sites vulnerable to exploits such as code injection

Effectively, to protect yourself from this type of malware you need to be extra cautious when it comes to basic security principles such as never plugging in removable media from unknown sources and never clicking on links to sites you might receive in emails. Here are a few other steps that can be taken to help prevent these infections:

  1. Always keep your software and OS up to date
  2. Disable PowerShell/WMI if it is unnecessary
  3. Disable macros on your machine
  4. Use anti-malware that detects irregular behavioral patterns in software.

Extraordinary measures are not needed to keep yourself and those around you safe since taking practical security measures can go a long way. Learning the basics doesn’t have to be hard either, you can start by going through the security training provided to University members through Courselink. Please feel free to visit other blog entries on the InfoSec website (https://infosec.uoguelph.ca) for more information on protecting yourself against cyber threats. Safety starts with you!

 

Written by: Joao Bernardo (Cyber Security Analyst II, Information Security)