Are you familiar with Astaroth?

If you’re a data security professional, you’ve probably at least heard the name.

The group gained some notoriety last year when it came to light that they had developed a means of spreading “fileless malware” using legitimate Windows tools to infect machines around the world.

The Windows Defender ATP team discovered evidence of a massive campaign and described the group’s innovative technique as ‘Living off the Land.’ Once Microsoft called attention to the group’s activities and the methods they were using to spread their malware, the campaign slowed to a trickle and the group went quiet for the rest of the year.

Now, they’re back and they’ve completely changed their approach. Their latest campaign begins conventionally, with a spam email that contains an LNK file. From there, the group veers off into new territory.

These days, they’re using Alternative Data Streams (ADS) to hide malicious payloads by appending data to an existing file. To load the payload, the group is abusing a legitimate process called ExtExport.exe, which the Windows Defender ATP team describes as a “highly uncommon attack vector” that makes Astaroth payloads incredibly hard to detect.

If there’s a silver lining, it is the fact that a potential victim has to jump through at least a few hoops to trigger the conditions that will install the payload. The spam email they get will inevitably contain a zip file. A victim has to open the zip file, then click the LNK file, which runs an obfuscated BAT command line.

This, in turn, drops a JavaScript file into the Pictures folder on the machine and issues a command to Explorer.exe to run the file.

Given this, the best line of defense here is employee education. If your employees are still in the habit of opening emails and clicking on files and links from unknown and untrusted sources, there’s really no stopping this threat. Make sure your people understand the risks!