A Credential Stealer Written in AutoHotkey Scripting Language

What has happened?

• The multi-stage infection chain starts with the use of a malware-laced Excel file laden with a VBA AutoOpen macro. Subsequently, it drops/executes a downloader client script by using a portable AHK script compiler executable.
• This client script is also used for profiling victims, persistence, and downloading and executing more AHK scripts from command-and-control servers located in Sweden, the Netherlands, and the U.S.
• In the final stage, the stealer gathers and decrypts system requirements from browsers and sends this information to the C&C server in a simple text by using an HTTP Post request.

Additional insights

• What is unique about this stealer is that instead of getting or obtaining any instructions from the C&C server, this stealer downloads and executes AHK scripts to fulfill various jobs. It prevents the main parts of malware from getting exposed publicly. 
• By doing so, an attacker can add a custom script for a different type of job for each and every person or group of customers, allowing them to control the malware.

Recent attacks using infostealers

• In early-December, a payment card skimmer group was found to be using Raccoon info-stealer to siphon off data.
• In addition, a web skimmer was discovered in social media buttons, targeting e-commerce and online shoppers.

Conclusion