Cybersecurity researchers have uncovered an ongoing malware marketing campaign that closely depends on AutoHotkey (AHK) scripting language to ship a number of distant entry trojans (RAT) akin to Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on track Home windows methods.
At the least 4 completely different variations of the marketing campaign have been noticed beginning February 2021, in response to researchers from Morphisec Labs.
“The RAT supply marketing campaign begins from an AutoHotKey (AHK) compiled script,” the researchers noted. “It is a standalone executable that incorporates the next: the AHK interpreter, the AHK script, and any recordsdata it has integrated by way of the FileInstall command. On this marketing campaign, the attackers incorporate malicious scripts/executables alongside a respectable utility to disguise their intentions.”
AutoHotkey is an open-source customized scripting language for Microsoft Home windows that is meant to offer simple hotkeys for macro-creation and software program automation, enabling customers to automate repetitive duties in any Home windows utility.
Whatever the assault chain, the an infection begins with an AHK executable that proceeds to drop and execute completely different VBScripts that ultimately load the RAT on the compromised machine. In a single variant of the assault first detected on March 31, the adversary behind the marketing campaign encapsulated the dropped RAT with an AHK executable, along with disabling Microsoft Defender by deploying a Batch script and a shortcut (.LNK) file pointing to that script.
A second model of the malware was discovered to dam connections to common antivirus options by tampering with the sufferer’s hosts file. “This manipulation denies the DNS decision for these domains by resolving the localhost IP tackle as an alternative of the actual one,” the researchers defined.
In the same vein, one other loader chain noticed on April 26 concerned delivering the LimeRAT by way of an obfuscated VBScript, which is then decoded right into a PowerShell command that retrieves a C# payload containing the final-stage executable from a Pastebin-like sharing platform service referred to as “stikked.ch.”
Lastly, a fourth assault chain found on April 21 used an AHK script to execute a respectable utility, earlier than dropping a VBScript that runs an in-memory PowerShell script to fetch the HCrypt malware loader and set up AsyncRAT.
Morphisec researchers attributed all of the completely different assault chains to the identical risk actor, citing similarities within the AHK script and overlaps within the methods used to disable Microsoft Defender.
“As risk actors examine baseline safety controls like emulators, antivirus, and UAC, they develop methods to bypass and evade them,” the researchers stated. “The approach adjustments detailed on this report didn’t have an effect on the impression of those campaigns. The tactical objectives remained the identical. Fairly, the approach adjustments have been to bypass passive safety controls. A standard denominator amongst these evasive methods is the abuse of course of reminiscence as a result of it is usually a static and predictable goal for the adversary.”
This isn’t the primary time adversaries have abused AutoHotkey to drop malware. In December 2020, Development Micro researchers uncovered a credential stealer written in AutoHotkey scripting language that singled out monetary establishments within the U.S. and Canada.