Athe end of May, the Microsoft IT security team detected anomalous activity. The Windows Management Instrumentation Command-line (WMIC) was registering far more activity than usual. It was a completely legitimate tool on the company’s operating system. What caught their attention was the fact that the activity had increased so much from one day to the next.
Before long, alarm bells started ringing. The team set about investigating the possible causes of this surge in activity. They were in for a surprise. Astaroth, the malware that had become famous in 2018, was back.
How Astaroth got onto WMIC_
The infection process was as follows. A massive spam campaign was carried out, sending endless emails that directed users to a website with a file extension .LNK. This kind of file was traditionally used in direct access, as well as in different cyberattack techniques that made use of malware.
If the users didn’t download that file, the cyberattackers used the Command-line and other legitimate system tools to add additional code. The end goal was to download Astaroth, which is capable of stealing all kinds of credentials from different applications and loading them on an external server. In other words, the increased activity on WMIC aimed to steal all kinds of information from the affected computers.
No files, only trusted tools_
This attack was problematic for two reasons. Firstly, the initial infection was always carried out without any kind of file that could be identified as suspicious. Secondly, the cybercriminals always used totally legitimate and trusted tools from the operating system itself.
The outcome was as effective as it was worrying: the attackers managed to infect systems using Living-off-the-Land techniques. Their activity thus went totally unnoticed by traditional cybersecurity solutions.
How to avoid these infections_
To prevent these attacks, it is necessary to accept one precept that, while not new, is still not wide-spread: in order for a cyberattack to be successful, there is no need for an executable file to exist to facilitate the intrusion. Malwareless attacks are an ever-present danger. What’s more, if the cyberattack uses legitimate and trusted operating system tools, cybersecurity solutions based simply on detecting suspicious files or tools are not enough. We have to go much further.
However, the fact that an attack has these characteristics doesn’t make it invisible or undetectable. That said, in order to stop it, we have to adopt a new, proactive attitude. This includes searching for possible anomalies before the situation takes a turn for the worse and becomes an IT security incident.
To this end, Threat Hunting is vital. Not only does it evaluate the possible existence of malicious files, but it also analyzes the behavior of active processes on the operating system in order to detect possibly dangerous situations. In fact, this was exactly what allowed the Microsoft cybersecurity team to detect the presence of Astaroth. By monitoring the activity on WMIC, they realized that the increase in traffic couldn’t be put down to normal behavior. The investigation allowed them to trace the root of the cyberattack.
Besides this, automated tasks must always be combined with manual work carried out by advanced cyberdefense professionals. These professionals know how to get where detection algorithms may not be able to see in such detail. This way of working allows the tasks to be prioritized. While professionals focus on the more important alerts, automated tasks can focus on less urgent alerts and on detecting possibly suspicious behavioral patters.
Cytomic Orion, our Threat Hunting and incident response solution, is based on these premises. Cytomic Orion combines two approaches: on the one hand, its console evaluates the active processes of the whole IT system in order to analyze patters, evaluate routines and detect possible anomalous behaviors that may arouse suspicions. Not only does it actively search for them, but it also acts to eliminate any kind of alarm. On the other hand, the team of expert analysts sees what the automated tasks cannot, focusing on the most important alerts and eliminating all possibility of a cyberattack succeeding. This technology-service duality allows us to neutralize Living-off-the-Land attacks that rely on legitimate system tools.
The most important thing, therefore, is to be aware of the fact that cybercriminals change their attack strategies, and that these strategies won’t necessarily use specific files. In this new context, corporate cybersecurity solutions and teams must be proactive in order to mitigate any problem even before it can take place.