Menace actors have been found out distributing a new credential stealer created in AutoHotkey (AHK) scripting language as portion of an ongoing campaign that started out early 2020.
Shoppers of monetary institutions in the US and Canada are among the the primary targets for credential exfiltration, with a specific concentration on financial institutions this sort of as Scotiabank, Royal Bank of Canada, HSBC, Alterna Financial institution, Funds Just one, Manulife, and EQ Bank. Also bundled in the listing is an Indian banking company ICICI Bank.
AutoHotkey is an open up-source custom scripting language for Microsoft Home windows aimed at offering simple hotkeys for macro-creation and program automation that allows customers to automate repetitive jobs in any Windows software.
The multi-stage an infection chain commences with a malware-laced Excel file which is embedded with a Visual Primary for Applications (VBA) AutoOpen macro, which is subsequently used to drop and execute the downloader customer script (“adb.ahk”) via a legit portable AHK script compiler executable (“adb.exe”).
The downloader shopper script is also liable for achieving persistence, profiling victims, and downloading and working extra AHK scripts from command-and-manage (C&C) servers located in the US, the Netherlands, and Sweden.
What tends to make this malware various is that as a substitute of obtaining commands specifically from the C&C server, it downloads and executes AHK scripts to carry out diverse tasks.
“By performing this, the attacker can make your mind up to add a precise script to obtain tailored responsibilities for every person or group of end users,” Pattern Micro researchers stated in an evaluation. “This also prevents the primary elements from currently being uncovered publicly, exclusively to other scientists or to sandboxes.”
Main among the them is a credential stealer that targets numerous browsers this kind of as Google Chrome, Opera, Microsoft Edge, and much more. Once mounted, the stealer also tries to download an SQLite module (“sqlite3.dll”) on the infected equipment, working with it to accomplish SQL queries towards the SQLite databases inside of browsers’ application folders.
In the ultimate step, the stealer collects and decrypts qualifications from browsers and exfiltrates the information to the C&C server in plaintext through an HTTP Post request.
Noting that the malware factors are “well arranged at the code level,” the scientists advise the inclusion of use instructions (composed in Russian) could suggest a “hack-for-retain the services of” team which is powering the assault chain’s generation and is supplying it to some others as a support.
“By utilizing a scripting language that lacks a created-in compiler within just a victim’s running program, loading malicious factors to accomplish numerous duties individually, and modifying the C&C server frequently, the attacker has been capable to disguise their intention from sandboxes,” the researchers concluded.