April 26, 2024

Researchers discovered a new credential stealer written in AutoHotkey (AHK) scripting language that is targeting the US and Canadian bank customers as part of an ongoing campaign that has begun in early 2020.

AutoHotkey is an open-source scriptig language for Windows that provides easy keyboard shortcuts or hotkeys, fast micro-creation, and software automation. AHK allows users to create a “compiled” .EXE with their code in it.

The malware infection consists of multiple stages that start with a malicious Excel file. The Office file contains an AHK script compiler executable, a malicious AHK script file, and a Visual Basic for Applications (VBA) AutoOpen macro.

The macro drops and executes the downloader client script (“adb.ahk”) via a legitimate portable AHK script compiler executable (“adb.exe”).

“The dropped adb.exe and adb.ahk play critical roles in this infection. The adb.exe is a legitimate portable AHK script compiler, and its job is to compile and execute the AHK script at a given path. By default (with no parameter), this executable executes a script with the same name in the same directory.” reads the analysis published by Trend Micro. “The dropped AHK script is a downloader client that is responsible for achieving persistence, profiling victims, and downloading and executing the AHK script on a victim system.”

The downloader client script was also used to achieve persistence, profiling victims, and downloading and running additional AHK scripts from C2 from US, Netherland, Sweden

The info-stealer doesn’t receive commands directly from the C&C server, instead, it downloads and executes AHK scripts to execute different actions.

For command execution, the malware accepts various AHK scripts for different tasks per victim and executes these using the same C&C URL continues the analysis. The attacker can decide to upload a specific script to achieve customized tasks for each user or group of users. This also prevents the main components from being revealed publicly, specifically to other researchers or to sandboxes.

The credential stealer targets multiple browsers, including Google Chrome, Microsoft Edge, and Opera, then exfiltrates stolen info to the C&C server in plaintext via an HTTP POST request.

Scripting language that lacks a built-in compiler within a victim’s operating system, loading malicious components to achieve various tasks separately, and changing the C&C server frequently, the attacker has been able to hide their intention from sandboxes,.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

GitLab April 2024 Security Advisory – CVE-2024-2434

April 26, 2024

CISA KEV Update April 2024 – Part II

April 25, 2024

ArcaneDoor Exploits Cisco ASA and FTD

April 25, 2024

Google Fixes Critical Vulnerability in Chrome -CVE-2024-4058

April 24, 2024

Red Ransomware Victimized Targus

April 23, 2024

Oracle Virtual Box Vulnerability PoC Released – CVE-2024-21111

April 22, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading