Cybersecurity researchers have uncovered an ongoing malware marketing campaign that closely depends on AutoHotkey (AHK) scripting language to ship a number of distant entry trojans (RAT) corresponding to Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on course Home windows methods.
Not less than 4 completely different variations of the marketing campaign have been noticed beginning February 2021, in response to researchers from Morphisec Labs.
“The RAT supply marketing campaign begins from an AutoHotKey (AHK) compiled script,” the researchers. “It is a standalone executable that incorporates the next: the AHK interpreter, the AHK script, and any recordsdata it has integrated through the command. On this marketing campaign, the attackers incorporate malicious scripts/executables alongside a reliable utility to disguise their intentions.”
AutoHotkey is an open-source customized scripting language for Microsoft Home windows that is meant to offer straightforward hotkeys for macro-creation and software program automation, enabling customers to automate repetitive duties in any Home windows utility.
Whatever the assault chain, the an infection begins with an AHK executable that proceeds to drop and execute completely different VBScripts that finally load the RAT on the compromised machine. In a single variant of the assault first detected on March 31, the adversary behind the marketing campaign encapsulated the dropped RAT with an AHK executable, along with disabling Microsoft Defender by deploying a Batch script and a shortcut (.LNK) file pointing to that script.
A second model of the malware was discovered to dam connections to in style antivirus options by tampering with the sufferer’s. “This manipulation denies the DNS decision for these domains by resolving the localhost IP handle as a substitute of the actual one,” the researchers defined.
In an analogous vein, one other loader chain noticed on April 26 concerned delivering the LimeRAT through an obfuscated VBScript, which is then decoded right into a PowerShell command that retrieves a C# payload containing the final-stage executable from a Pastebin-like sharing platform service referred to as “stikked.ch.”
Lastly, a fourth assault chain found on April 21 used an AHK script to execute a reliable utility, earlier than dropping a VBScript that runs an in-memory PowerShell script to fetch the HCrypt malware loader and set up AsyncRAT.
Morphisec researchers attributed all of the completely different assault chains to the identical menace actor, citing similarities within the AHK script and overlaps within the strategies used to disable Microsoft Defender.
“As menace actors examine baseline safety controls like emulators, antivirus, and UAC, they develop strategies to bypass and evade them,” the researchers mentioned. “The approach modifications detailed on this report didn’t have an effect on the impression of those campaigns. The tactical targets remained the identical. Slightly, the approach modifications have been to bypass passive safety controls. A typical denominator amongst these evasive strategies is the abuse of course of reminiscence as a result of it is usually a static and predictable goal for the adversary.”
This isn’t the primary time adversaries have abused AutoHotkey to drop malware. In December 2020, Development Micro researchersa credential stealer written in AutoHotkey scripting language that singled out monetary establishments within the U.S. and Canada.