Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey (AHK) scripting language to deliver multiple remote access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems.
At least four different versions of the campaign have been spotted starting February 2021, according to researchers from Morphisec Labs.
“The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script,” the researchers noted. “This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions.”
AutoHotkey is an open-source custom scripting language for Microsoft Windows that’s meant to provide easy hotkeys for macro-creation and software automation, enabling users to automate repetitive tasks in any Windows application.
Regardless of the attack chain, the infection begins with an AHK executable that proceeds to drop and execute different VBScripts that eventually load the RAT on the compromised machine. In one variant of the attack first detected on March 31, the adversary behind the campaign encapsulated the dropped RAT with an AHK executable, in addition to disabling Microsoft Defender by deploying a Batch script and a shortcut (.LNK) file pointing to that script.
A second version of the malware was found to block connections to popular antivirus solutions by tampering with the victim’s hosts file. “This manipulation denies the DNS resolution for those domains by resolving the localhost IP address instead of the real one,” the researchers explained.
In a similar vein, another loader chain observed on April 26 involved delivering the LimeRAT via an obfuscated VBScript, which is then decoded into a PowerShell command that retrieves a C# payload containing the final-stage executable from a Pastebin-like sharing platform service called “stikked.ch.”
Lastly, a fourth attack chain discovered on April 21 used an AHK script to execute a legitimate application, before dropping a VBScript that runs an in-memory PowerShell script to fetch the HCrypt malware loader and install AsyncRAT.
Morphisec researchers attributed all the different attack chains to the same threat actor, citing similarities in the AHK script and overlaps in the techniques used to disable Microsoft Defender.
“As threat actors study baseline security controls like emulators, antivirus, and UAC, they develop techniques to bypass and evade them,” the researchers said. “The technique changes detailed in this report did not affect the impact of these campaigns. The tactical goals remained the same. Rather, the technique changes were to bypass passive security controls. A common denominator among these evasive techniques is the abuse of process memory because it’s typically a static and predictable target for the adversary.”
This is not the first time adversaries have abused AutoHotkey to drop malware. In December 2020, Trend Micro researchers uncovered a credential stealer written in AutoHotkey scripting language that singled out financial institutions in the U.S. and Canada.