Attackers are targeting potential victims using a malicious AutoHotkey script to avoid detection and to steal information, to drop more payloads, and to remotely access compromised machines using TeamViewer.
AutoHotkey (also known as AHK) is an open-source scripting language for Windows back in 2003 to add keyboard shortcuts (hotkeys) support in AutoIt, another free Windows automation language.
The malicious AutoHotkey script payload is delivered with the help of a decoy Excel Macro-Enabled Workbook email attachment named Military Financing.xlsm after the Foreign Military Financing (FMF) program of the U.S. Defense Security Cooperation Agency to trick potential targets into enabling macros to view the file's contents.
As discovered by Trend Micro's Cyber Threat Research Team. once the victims enabled macros in Microsoft Excel, the XSLM document will "drop the legitimate script engine AutoHotkey along with a malicious script file."
Immediately after, the malicious script will be executed and will automatically connect to its command-and-control (C&C) server downloading more scripts on to the compromised machine according to the commands it receives from the attackers.
The researchers analyzed the activity of the dropped AutoHotkeyU32.ahk script and saw that it will execute the following commands:
• Create a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart.
• Connect to the C&C server every 10 seconds to download, save, and execute script files containing the commands.
• Send the volume serial number of the C drive, which allows the attacker to identify the victim.
In the end, as the researchers found, one of the downloaded malicious scripts will also drop a copy of TeamViewer making it possible for the bad actors gain remote access to the infected computers.
"These files allow the attackers to get the computer name and take screen captures. More importantly, one of these files also enables the download of TeamViewer, a remote access tool that gives threat actors remote control over the system," says Trend Micro's report.
While this malicious campaign's purpose is not yet known or obvious, it might be used by the threat actors behind it for cyber-espionage information collecting tasks given that it targets victims potentially interested in Defense Security Cooperation Agency military financing programs.
However, the attackers might employ the seemingly harmless AutoHotkey scripts which help avoid detection to drop any other possible payload, from banking Trojans, coinminer, and backdoors to the more dangerous ransomware or wiper malware.
AHK-based malware strains surfaced in 2018
AutoHotkey-based malware started surfacing during early 2018 in the form of various aimbots and game cheating tools, while multiple AHK malware samples were seen by Ixia's security research team distributing cryptominers and a clipboard hijacker in February.
One month later, the Cybereason Nocturnus research team stumbled upon an AHK-based malware strain which they dubbed Fauxpersky given its attempts to pass as a legitimate Kaspersky antivirus copy.
"Every day we find the same clipbankers/droppers/keyloggers that only have minor changes done to their code as well as samples that even employ complex obfuscation techniques and file structure," Ixia security researcher Gabriel Cirlig said at the time.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now