Security News > 2021 > May > Experts Warn About Ongoing AutoHotkey-Based Malware Attacks

Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey scripting language to deliver multiple remote access trojans such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems.

"The RAT delivery campaign starts from an AutoHotKey compiled script," the researchers noted.

AutoHotkey is an open-source custom scripting language for Microsoft Windows that's meant to provide easy hotkeys for macro-creation and software automation, enabling users to automate repetitive tasks in any Windows application.

In one variant of the attack first detected on March 31, the adversary behind the campaign encapsulated the dropped RAT with an AHK executable, in addition to disabling Microsoft Defender by deploying a Batch script and a shortcut file pointing to that script.

Lastly, a fourth attack chain discovered on April 21 used an AHK script to execute a legitimate application, before dropping a VBScript that runs an in-memory PowerShell script to fetch the HCrypt malware loader and install AsyncRAT. Morphisec researchers attributed all the different attack chains to the same threat actor, citing similarities in the AHK script and overlaps in the techniques used to disable Microsoft Defender.

In December 2020, Trend Micro researchers uncovered a credential stealer written in AutoHotkey scripting language that singled out financial institutions in the U.S. and Canada.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/oPwSzT7gLgw/experts-warn-about-ongoing-autohotkey.html