Canadian Centre for Cyber Security Warns the Public Against Fileless Malware

The Canadian Centre for Cyber Security recently released an advisory warning the public of the growing fileless malware campaigns affecting Microsoft Windows users.

What Is Fileless Malware?

A fileless malware is a malicious software that was first observed in the wild in the early 2000s. According to the Canadian Centre for Cyber Security, fileless malware “remains popular method of attack by cyber adversaries”. The Cyber Centre said fileless malware is a popular method of attack by malicious actors because of its “low observable characteristics”.

Ordinary anti-virus or anti-malware solutions have difficulty detecting fileless malware as this type of malware takes advantage of legitimate software programs to cover-up its malicious activity. It’s also hard for ordinary anti-virus or anti-malware solutions to detect fileless malware as the original infecting executable doesn’t remain on the infected computer’s hard-drive.

Victims of fileless malware typically are initially infected by this type of malware by phishing attack – a type of cyberattack that uses emails to launch an attack. Phishing emails trick victims to open an infected file or visit a malicious website.

Aside from phishing attacks, initial infection of fileless malware may come from physical transfer, that is, when a user connects an infected device or media into a device. Web application is another point of entry of fileless malware in which an attacker leverages a security vulnerability in a website to inject and execute malicious code on the computer of any user that happens to visit the website.

After the initial infection, the attackers often abuse legitimate software programs commonly used by system administrators such as Windows Management Instrumentation (WMI). The infected computer may attempt to download additional malware on the infected computer, attempt to download and execute scripts or attempt to propagate on other connected devices.

Astaroth Malware

An example of a fileless malware is the Astaroth malware. First observed in the wild in 2017, Astaroth malware is known for stealing sensitive information from victims, including account credentials and keystrokes, and sending the stolen information to the attackers.

Stolen data can be used by the attackers to carry out financial theft, move laterally across networks, or sell the stolen information in the cybercriminal underground. In the past, attackers used Astaroth to collect information from the clipboard, recover passwords using an external software known as NetPass, and record every keystroke made by a computer user and send these keystrokes to the attackers.

In May 2019 to June 2019, the Microsoft Defender ATP Research Teamreported that it noticed spikes in suspicious WMIC-related activities. WMIC stands for Windows Management Instrumentation Console (WMIC). It provides a command line interface to Windows Management Instrumentation (WMI), which is used by Microsoft Windows system administrators for various tasks, including querying system settings, stoping processes, and locally or remotely executing scripts.

The Microsoft Defender ATP Research Team said that the spikes in suspicious WMIC-related activities in May 2019 to June 2019 proved to be a campaign that aimed to run the Astaroth malware. According to the Microsoft Defender ATP Research Team, while the campaign to run the Astaroth malware may slightly vary, the attack generally followed these steps: A malicious link in a phishing email leads to an LNK file. When this malicious link is double-clicked, the LNK file causes the execution of the WMIC tool, which results in the downloading and execution of a JavaScript code. This JavaScript code, in turn, downloads payloads by abusing another Windows application used by system administrators called “Bitsadmin”.

“The Regsvr32 tool [another Windows application used by system administrators] is then used to load one of the decoded DLLs, which in turn decrypts and loads other files until the final payload, Astaroth, is injected into the Userinit process,” the team added.

“It’s interesting to note that at no point during the attack chain is any file run that’s not a system tool,” Microsoft Defender ATP Research Team said. “This technique is called living off the land: using legitimate tools that are already present on the target system to masquerade as regular activity.”

In September 2018, Cofense Phishing Defense Centerreported about the resurgence of Astaroth. Similar to the recent finding of the Microsoft Defender ATP Research Team, Cofense Phishing Defense Center observed that the 2018 version of Astaroth leverages Windows tools such as Windows Management Instrumentation Console (WMIC) to deliver the malware.

Cybersecurity Best Practices

According to Microsoft Defender ATP Research Team, Microsoft Defender ATP exposes fileless malware like Astaroth before these attacks can cause more damage. The team said that fileless malware, which abuses fileless techniques doesn’t put this type of malware beyond the reach or visibility of security software. “On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way, that a bag of money moving by itself would,” the team said.

Cofense Phishing Defense Center, for its part, said that blocking or restricting the use of WMIC may not be a feasible solution as some system administrators need this. Astaroth is best mitigated with user training and awareness about phishing attacks, the Center said.

The Canadian Centre for Cyber Security, meanwhile, recommends the following 10 cybersecurity best practices in order to prevent attacks, in particular, fileless malware:

  1. Consolidate, monitor and defend internet gateways
  2. Patch operating systems and applications
  3. Enforce the management of administrative privileges
  4. Harden operating systems and applications
  5. Segment and separate information
  6. Provide tailored awareness and training
  7. Protect information at the enterprise level
  8. Apply protection at the host level
  9. Isolate web-facing applications
  10. Implement application whitelisting

Defending your small or medium business against cybercrime is a necessity and most businesses lack the qualified and trained resources. When you need help, our IT and security experts are a phone call away. Call today (416) 920-3000or email

Leave a Reply

Your email address will not be published. Required fields are marked *