Researchers discovered a new credential stealer written in AutoHotkey (AHK) scripting language that is targeting the US and Canadian bank customers as part of an ongoing campaign that has begun in early 2020.

AutoHotkey is an open-source scriptig language for Windows that provides easy keyboard shortcuts or hotkeys, fast micro-creation, and software automation. AHK allows users to create a “compiled” .EXE with their code in it.

The malware infection consists of multiple stages that start with a malicious Excel file. The Office file contains an AHK script compiler executable, a malicious AHK script file, and a Visual Basic for Applications (VBA) AutoOpen macro.

The macro drops and executes the downloader client script (“adb.ahk”) via a legitimate portable AHK script compiler executable (“adb.exe”).

“The dropped adb.exe and adb.ahk play critical roles in this infection. The adb.exe is a legitimate portable AHK script compiler, and its job is to compile and execute the AHK script at a given path. By default (with no parameter), this executable executes a script with the same name in the same directory.” reads the analysis published by Trend Micro. “The dropped AHK script is a downloader client that is responsible for achieving persistence, profiling victims, and downloading and executing the AHK script on a victim system.”

The downloader client script was also used to achieve persistence, profiling victims, and downloading and running additional AHK scripts from C2 from US, Netherland, Sweden

The info-stealer doesn’t receive commands directly from the C&C server, instead, it downloads and executes AHK scripts to execute different actions.

For command execution, the malware accepts various AHK scripts for different tasks per victim and executes these using the same C&C URL continues the analysis. The attacker can decide to upload a specific script to achieve customized tasks for each user or group of users. This also prevents the main components from being revealed publicly, specifically to other researchers or to sandboxes.

The credential stealer targets multiple browsers, including Google Chrome, Microsoft Edge, and Opera, then exfiltrates stolen info to the C&C server in plaintext via an HTTP POST request.

Scripting language that lacks a built-in compiler within a victim’s operating system, loading malicious components to achieve various tasks separately, and changing the C&C server frequently, the attacker has been able to hide their intention from sandboxes,.