Cybersecurity scientists have uncovered an ongoing malware campaign that closely relies on AutoHotkey (AHK) scripting language to supply several distant access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on goal Home windows methods.
At least 4 unique variations of the marketing campaign have been noticed beginning February 2021, in accordance to researchers from Morphisec Labs.
“The RAT supply marketing campaign begins from an AutoHotKey (AHK) compiled script,” the scientists noted. “This is a standalone executable that consists of the next: the AHK interpreter, the AHK script, and any documents it has integrated by way of the FileInstall command. In this campaign, the attackers include malicious scripts/executables along with a genuine software to disguise their intentions.”
AutoHotkey is an open-supply tailor made scripting language for Microsoft Home windows that’s meant to present easy hotkeys for macro-generation and software package automation, enabling buyers to automate repetitive responsibilities in any Home windows application.
Regardless of the assault chain, the infection starts with an AHK executable that proceeds to fall and execute diverse VBScripts that finally load the RAT on the compromised device. In 1 variant of the attack to start with detected on March 31, the adversary driving the campaign encapsulated the dropped RAT with an AHK executable, in addition to disabling Microsoft Defender by deploying a Batch script and a shortcut (.LNK) file pointing to that script.
A second version of the malware was located to block connections to popular antivirus options by tampering with the victim’s hosts file. “This manipulation denies the DNS resolution for those domains by resolving the localhost IP address instead of the real 1,” the scientists explained.
In a comparable vein, one more loader chain observed on April 26 involved providing the LimeRAT through an obfuscated VBScript, which is then decoded into a PowerShell command that retrieves a C# payload containing the last-phase executable from a Pastebin-like sharing system company referred to as “stikked.ch.”
And lastly, a fourth attack chain learned on April 21 made use of an AHK script to execute a genuine application, before dropping a VBScript that operates an in-memory PowerShell script to fetch the HCrypt malware loader and install AsyncRAT.
Morphisec scientists attributed all the distinctive assault chains to the very same danger actor, citing similarities in the AHK script and overlaps in the tactics applied to disable Microsoft Defender.
“As threat actors examine baseline stability controls like emulators, antivirus, and UAC, they build techniques to bypass and evade them,” the scientists explained. “The strategy alterations in-depth in this report did not have an affect on the effect of these strategies. The tactical plans remained the exact. Relatively, the approach improvements have been to bypass passive stability controls. A popular denominator amid these evasive strategies is the abuse of procedure memory because it really is ordinarily a static and predictable focus on for the adversary.”
This is not the initial time adversaries have abused AutoHotkey to drop malware. In December 2020, Pattern Micro researchers uncovered a credential stealer penned in AutoHotkey scripting language that singled out monetary establishments in the U.S. and Canada.