An ongoing malware campaign has been discovered that uses the AutoHotkey (AHK) scripting language to deliver multiple RATs, such as LimeRAT, AsyncRAT, Houdini, Vjw0rm, and Revenge RAT. This campaign is unique in that it heavily uses the AutoHotKey scripting language, a fork of the AutoIt language often used for testing.<\/p>\n\n\n\n
According to Morphisec Labs researchers, the RAT delivery campaign begins with a compiled AHK script. The script includes the AHK interpreter, the script, and any files that you added using the FileInstall command.<\/p>\n\n\n\n
\u25b8In the first variant of the attack<\/em><\/strong><\/p>\n\n\n\n First seen on February 17, the attackers encapsulated the deleted RAT with an AHK executable and disabled Microsoft Defender with the Batch script and a shortcut file (.LNK) pointing to that script.<\/p>\n\n\n\n \u25b8The second version <\/em><\/strong><\/p>\n\n\n\n First appeared on March 31 blocked connections to antivirus solutions by altering the victim’s host file. This manipulation negated DNS resolution for those domains by resolving the IP address of the local host instead of the real one.<\/p>\n\n\n\n \u25b8The third chain attack<\/em><\/strong><\/p>\n\n\n\n First detected on April 8, delivered LimeRAT via obfuscated VBScript, which is then decoded into a PowerShell command that retrieves a C # payload.<\/p>\n\n\n\n \u25b8The fourth attack chain <\/em><\/strong><\/p>\n\n\n\n Used an AHK script to run a genuine application, before delivering a VBScript that runs an in-memory PowerShell script to get the HCrypt loader and install AsyncRAT.<\/p>\n\n\n\n The Morphisec researchers attributed all the different attack chains to the same threat actor, citing similarities in the AHK script and overlaps in the techniques used to disable Microsoft Defender.<\/p>\n\n\n\n This is not the first time that AutoHotKey has been abused by attackers to remove malware. In December 2020, Trend Micro researchers discovered a credential stealer written in the AutoHotKey programming language that highlighted financial institutions in the United States and Canada.<\/p>\n\n\n\n By using the AHK scripting language, attackers can hide their intent from sandboxes. In addition, the recent campaign uses innovative techniques to distribute various malicious programs. Obviously, this is not the only threat that we can find on the web, but it is important to be prepared to face these threats.<\/p>\n\n\n\n See also: An ongoing malware campaign has been discovered that uses the AutoHotkey (AHK) scripting language to deliver multiple RATs, such as LimeRAT, AsyncRAT, Houdini, Vjw0rm, and Revenge RAT. This campaign is unique in that it heavily uses the AutoHotKey scripting language, a fork of the AutoIt language often used for testing. According to Morphisec Labs researchers, […]<\/p>\n","protected":false},"author":1,"featured_media":2801,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[36],"class_list":["post-2800","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\n
RAT is a very Dangerous Malware<\/a>
Hijacking is a dangerous type of Cyberattack<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"