Experts Warn About Ongoing AutoHotkey-Based Malware Attacks

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108
Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey (AHK) scripting language to deliver multiple remote access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems.

At least four different versions of the campaign have been spotted starting February 2021, according to researchers from Morphisec Labs.

"The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script," the researchers noted. "This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions."

AutoHotkey is an open-source custom scripting language for Microsoft Windows that's meant to provide easy hotkeys for macro-creation and software automation, enabling users to automate repetitive tasks in any Windows application.

Regardless of the attack chain, the infection begins with an AHK executable that proceeds to drop and execute different VBScripts that eventually load the RAT on the compromised machine. In one variant of the attack first detected on March 31, the adversary behind the campaign encapsulated the dropped RAT with an AHK executable, in addition to disabling Microsoft Defender by deploying a Batch script and a shortcut (.LNK) file pointing to that script.

A second version of the malware was found to block connections to popular antivirus solutions by tampering with the victim's hosts file. "This manipulation denies the DNS resolution for those domains by resolving the localhost IP address instead of the real one," the researchers explained.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top