The Great Duke of Hell. That’s the name of a particularly nasty piece of malware security researchers from Microsoft have identified circulating the World Wide Web.
On 8 June, analysts from the Microsoft Defender Advanced Threat Protection Research Team issued a warning to confirm that a notorious credential-stealing malware threat is targeting Windows users.
Dubbed Astaroth, or “the Great Duke of Hell” upon its discovery in 2017, the malware is essentially a Trojan program that gathers user credentials. What makes this one so dangerous is that it uses an “invisible man” methodology by only running files within the attack chain that are legitimate system tools. What this means basically is that the computer itself is directed to program malicious commands on itself. This allows the Duke of Hell to hide in plain sight, slipping through most malware detection systems.
According to Microsoft’s telemetry, the most recent campaign commenced on 19 May and carried on into mid-June, with at least four significant spikes in activity. The two biggest surges by far took place between 26 May and 1 June, and between June 2 and June 6.
The typical attack procedure would begin with a spear-phishing email containing a link that if clicked installs the Trojan.
While concerning in and of itself, Duke of Hell marks a milestone in the development of cyber threats. The development of so-called fileless malware, in which the virus doesn’t get the systems through a specific document, but rather is installed within the RAM of the computer itself, has been a growing concern over the past year. Among the growing awareness of cyber threats being a primary danger to national security, fileless attacks are uniquely problematic. They circumvent traditional methods of detection, and often require advanced diagnostics to uncover.