An ongoing malware campaign has been discovered that uses AutoHotkey (AHK) scripting language to deliver multiple RATs, such as LimeRAT, AsyncRAT, Houdini, Vjw0rm, and Revenge RAT. Until now, at least four different versions of this malware campaign have been discovered since February.
What happened?
According to researchers from Morphisec Labs, the RAT delivery campaign starts from an AHK compiled script. The script includes the AHK interpreter, script, and any file it has added via the FileInstall command.
- In the first variant of the attack, first seen on February 17, the attackers encapsulated the dropped RAT with an AHK executable and disabled Microsoft Defender with the Batch script and a shortcut (.LNK) file pointing to that script.
- A second version first that appeared on March 31 blocked connections to antivirus solutions by tampering with the victim's host file. This manipulation denied DNS resolution for those domains by resolving the localhost IP address instead of the real one.
- The third loader chain, first spotted on April 8, was delivering LimeRAT via an obfuscated VBScript, which is then decoded into a PowerShell command that retrieves a C# payload.
- On May 2, a fourth attack chain used an AHK script to run a genuine application, before delivering a VBScript that runs an in-memory PowerShell script to get the HCrypt loader and install AsyncRAT.
Recent AHK abuse
This is not the first time that cybercriminals have abused the AHK to evade detection.
- Last December, a credential stealer, written in AHK was found targeting financial institutions in the U.S. and Canada.
- In March, the Mekotio banking trojan was discovered to be abusing AHK and AHK compiler to evade detection. The trojan was stealing users’ information and targeting Spanish users.
Conclusion
By using the AHK scripting language, attackers are able to hide their intention from sandboxes. Moreover, the recent campaign is using innovative techniques to deliver multiple malware. Protecting against such threats requires a proactive approach to security, and therefore, organizations are recommended to proactively audit their critical assets.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_401429983_1.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/6212_shutterstock_1149190550.jpg)
