- Jul 22, 2014
- 2,525
IBM’s X-Force Research team reports hackers attacking Brazilian banks are using the Windows scripting tool called AutoIt to install a remote access Trojan (RAT) capable of hijacking browser-based banking sessions.
The use of AutoIt, researchers said, reduces the likelihood of antivirus detection. Attackers are often able to sidestep AV by using an AutoIt script to compile malicious code and run it as a valid AutoIt framework process.
AutoIt is a freeware administration tool for automating system management processes via scripts.
The use of AutoIt prevents static AV detection from recognizing the malware’s hash signature, said X-Force researchers Gadi Ostrovsky and Limor Kessem who co-authored a report on the RAT Wednesday.
Once deployed, the RAT monitors the host’s browser window title bar waiting for bank names. If detected, a full-screen image or webpage blocks the victim from the real bank’s webpage. Next, the RAT “take(s) control of the victim’s endpoint and the banking session he or she may have already authenticated,” according to researchers.
“The malware’s operator remotely initiates a fraudulent transaction from the victim’s endpoint and may prompt the user to provide additional details by using the fake overlay screen,” researchers said.
...
...
The use of AutoIt, researchers said, reduces the likelihood of antivirus detection. Attackers are often able to sidestep AV by using an AutoIt script to compile malicious code and run it as a valid AutoIt framework process.
AutoIt is a freeware administration tool for automating system management processes via scripts.
The use of AutoIt prevents static AV detection from recognizing the malware’s hash signature, said X-Force researchers Gadi Ostrovsky and Limor Kessem who co-authored a report on the RAT Wednesday.
Once deployed, the RAT monitors the host’s browser window title bar waiting for bank names. If detected, a full-screen image or webpage blocks the victim from the real bank’s webpage. Next, the RAT “take(s) control of the victim’s endpoint and the banking session he or she may have already authenticated,” according to researchers.
“The malware’s operator remotely initiates a fraudulent transaction from the victim’s endpoint and may prompt the user to provide additional details by using the fake overlay screen,” researchers said.
...
...
