Microsoft warns about 'fileless' trojan using legitimate tools to avoid detection

“Fileless” malware that can steal your personal information uses legitimate system tools in an effort to go undetected, researchers from the Microsoft Defender Advanced Threat Protection team warned this week.

The Astaroth Trojan is a widespread fileless campaign that operates “off the land,” using existing Windows tools, according to Andrea Lelli from the Microsoft Defender ATP research team.

Lelli detailed in a blog post how the Astaroth Trojan can spread after someone clicks a malicious link. That leads to the execution of a code that downloads the “payloads” that load fileless threats like Astaroth.

The technique uses “legitimate tools that are already present on the target system to masquerade as regular activity,” Lelli said.

Once it’s in your computer, Astaroth can steal sensitive information like credentials and keystrokes, and then send the data to a remote attacker, according to Lelli. That stolen information can be used to move across networks or to carry out financial theft, or it can be sold to other criminals.

Astaroth has affected companies in parts of Europe and Brazil, according to research by Eli Salem. He found that Astaroth even manipulated antivirus software like Avast in order to avoid detection.

Salem wrote in a blog post that he expects the technique will become more common.


“The potential for damage will grow as attackers will look to other more destructive payloads,” he suggested.