AutoIt Scripting Used By Overlay Malware to Bypass AV Detection

IBM’s X-Force Research team reports hackers attacking Brazilian banks are using the Windows scripting tool called AutoIt to reduces the likelihood of antivirus software detection.

IBM’s X-Force Research team reports hackers attacking Brazilian banks are using the Windows scripting tool called AutoIt to install a remote access Trojan (RAT) capable of hijacking browser-based banking sessions.

The use of AutoIt, researchers said, reduces the likelihood of antivirus detection. Attackers are often able to sidestep AV by using an AutoIt script to compile malicious code and run it as a valid AutoIt framework process.

AutoIt is a freeware administration tool for automating system management processes via scripts.

The use of AutoIt prevents static AV detection from recognizing the malware’s hash signature, said X-Force researchers Gadi Ostrovsky and Limor Kessem who co-authored a report on the RAT Wednesday.

Once deployed, the RAT monitors the host’s browser window title bar waiting for bank names. If detected, a full-screen image or webpage blocks the victim from the real bank’s webpage. Next, the RAT “take(s) control of the victim’s endpoint and the banking session he or she may have already authenticated,” according to researchers.

“The malware’s operator remotely initiates a fraudulent transaction from the victim’s endpoint and may prompt the user to provide additional details by using the fake overlay screen,” researchers said.

X-Force researchers said Brazil has become a hotbed for financial malware and that recent uses of overlay malware highlights a trend of more sophisticated malicious code used in the region.

“In the past year, we have observed the rise of malware, such as Client Maximus and similar codes, that uses remote access with overlay screens for bank fraud operations in Brazil. Recently, we detected a remote access Trojan (RAT) malware that uses the same overall technique, but with an added twist to its antivirus evasion method,” according to X-Force.

The RAT does not have a name and its code is written in Delphi, a programming language common among hackers targeting Brazil. “These Delphi-based codes attacking in Brazil see so much code re-use there, that the malware is not defined into ‘families’ like the ones we know from the module Trojan world (Zeus, Ursnif, Dridex, etc),” said Kessem in an interview with Threatpost.

AutoIt has been leveraged several times in the past by attackers as a way to circumvent AV. Cisco Talos noted in 2015 a group of hackers had used the tool in conjunction with phishing attacks to install a RAT designed to maintain persistence on the target’s system by mimicking normal sys admin activity.

In 2013, researchers noted an uptick in malware utilizing AutoIt as a scripting language and instances of keyloggers and RATs builders developed with AutoIt being uploaded to the text storage and sharing sites such as Pastebin.

In Brazil, X-Force researchers said, overlay malware remains the preferred way to carry out attacks against banks. “As long as those types of attacks continue to serve them, threat actors are unlikely to see a need for change,” researchers wrote.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.