An ongoing malware campaign has been discovered that uses the AutoHotkey (AHK) scripting language to deliver multiple RATs, such as LimeRAT, AsyncRAT, Houdini, Vjw0rm, and Revenge RAT. This campaign is unique in that it heavily uses the AutoHotKey scripting language, a fork of the AutoIt language often used for testing.
According to Morphisec Labs researchers, the RAT delivery campaign begins with a compiled AHK script. The script includes the AHK interpreter, the script, and any files that you added using the FileInstall command.
▸In the first variant of the attack
First seen on February 17, the attackers encapsulated the deleted RAT with an AHK executable and disabled Microsoft Defender with the Batch script and a shortcut file (.LNK) pointing to that script.
▸The second version
First appeared on March 31 blocked connections to antivirus solutions by altering the victim’s host file. This manipulation negated DNS resolution for those domains by resolving the IP address of the local host instead of the real one.
▸The third chain attack
First detected on April 8, delivered LimeRAT via obfuscated VBScript, which is then decoded into a PowerShell command that retrieves a C # payload.
▸The fourth attack chain
Used an AHK script to run a genuine application, before delivering a VBScript that runs an in-memory PowerShell script to get the HCrypt loader and install AsyncRAT.
The Morphisec researchers attributed all the different attack chains to the same threat actor, citing similarities in the AHK script and overlaps in the techniques used to disable Microsoft Defender.
This is not the first time that AutoHotKey has been abused by attackers to remove malware. In December 2020, Trend Micro researchers discovered a credential stealer written in the AutoHotKey programming language that highlighted financial institutions in the United States and Canada.
By using the AHK scripting language, attackers can hide their intent from sandboxes. In addition, the recent campaign uses innovative techniques to distribute various malicious programs. Obviously, this is not the only threat that we can find on the web, but it is important to be prepared to face these threats.
See also:
RAT is a very Dangerous Malware
Hijacking is a dangerous type of Cyberattack
[…] also:AHK, the new malicious RAT distribution campaignRAT is a very Dangerous […]
[…] check:AHK, the new malicious RAT distribution campaignRAT is a very Dangerous MalwareSnip3 tool that enchances the dangerous RAT threatSpear Phishing […]
[…] check:AHK, the new malicious RAT distribution campaignAttacks suffered by USA that changed […]