AutoIt Used in Targeted Attacks to Move RATs

Researchers at Cisco spotted targeted attacks moving remote access Trojans via the AutoIt administration and scripting tool.

Hackers, months ago, revived macros as an attack vector to primarily hide banking malware spread by spam campaigns.

Not be left out, some targeted attacks kicked off by convincing phishing emails, have been moving a few remote access Trojans and other malware via Word docs. One particular targeted campaign, researchers at Cisco said, was using AutoIt to drop malware on compromised machines. AutoIt is freeware that allows Windows administrators to write scripts that automate tasks.

The use of macros by hackers is mitigated by the fact they’ve been disabled by default since the release of Office 2007. But Cisco researchers said the language and spoofed senders in the phishing emails accompanying the targeted attacks could be enough to convince a potential victim to enable macros and execute the attack.

“In this case, they’re impersonating a legitimate business. If the message is convincing enough, they could lower their guard and enable macros if they believe doing so will fully render a document or allow them to see the encoding of images a document may contain,” said Cisco Talos threat researcher Alex Chiu. “We’ve seen these techniques used with several targeted Dridex campaigns. They’re taking techniques that are old, and in this case, making them useful again.”

The use of AutoIt is not only unique, but effective in allowing the attackers to evade detection. AutoIt is a legitimate IT administration tool and could be whitelisted in many enterprises. In the case of this particular campaign, the victim is urged to enable macros on a Word document that pretends to be from a legitimate business. Once the victim executes the attack, it reaches out to hxxp://frontlinegulf[.]com/tmp/adobefile.exe where it downloads a binary. The payloads change regularly Cisco said. AutoIt was one such payload, downloaded in a self-extracting archive. In addition to AutoIt, a 600MB AutoIt script was downloaded from the archive that included antianalysis checks, payload decryption, malware installation and persistence mechanisms. The script also installed either the Cybergate RAT, NanoCore RAT, or the Parite worm.

The RATs were used against a small number of organizations, Chiu said. The large AutoIt script would likely evade antivirus or intrusion detection systems that have file-size limits. Chiu said too that it looks for a particular antivirus installation and if detected, it sleeps for a defined period of time before executing. Once it does execute, it tries to disable Windows User Access Control (UAC) in order to establish persistence on the machine and continue decrypting its payload.

“Adversaries are using legitimate freeware to fly under the radar,” Chiu said. “It can hide as white noice because it appears as a management task.” Chiu said it’s unknown whether the targeted organizations already were using AutoIt in their environments.

As for the RATs, NanoCore was spotted in attacks against energy companies in Asia and the Middle East before earlier this year, source code for the RAT and its premium plugins was leaked online making it widely accessible. Cybergate, meanwhile, has been available for years online and is considered easy to setup and use.

In January, Microsoft warned companies of a spike in macro-enabled malware. It said in December attacks peaked at fewer than 8,000 a day for a short time. Like the current campaign spotted by Cisco, victims were enticed to enable macros and were ultimately infected by either the Ardnel or Tarbir downloader that grabbed any variety of malware from there.

Suggested articles

Discussion

  • czardas on

    Nowadays AutoIt is much more than an administration tool: I just thought I ought to mention this. The language has been greatly improved upon over the years, thanks to the efforts of many people involved in development. It always saddens me to see people abusing technology like this. The AutoIt community have been receiving a lot of spam attacks recently. We want to clean up the internet as much as anybody else. Long live AutoIt.
  • Andrew on

    At the end of the day, if you are executing code you don't trust - you are opening yourself for a virus. This has little to do with Autoit, and I hope people realize this. If you allow users (likely with administrative rights) to run a random exe or even vbscript you could be in the same position. I respectively disagree that AutoIt is, "effective in allowing the attackers to evade detection". A phishing email gets through your email security. A user opens this, downloads a file that gets by your AV, firewall, and proxy. This file asks permissions to do something that is unknown to the user, and that user says OK. Your AV doesn't catch the malicious code. Your firewall doesn't block the download of more malicious code. Your local AV client remains oblivious. Very likely your user has administrative rights to install other malware. How many failures is that? Why is the takeaway from that AutoIt? I fail to see how VBScript or a powershell script couldn't achieve the same result, let alone any machine code compiled EXE (of which AutoIt is not). If all malware has to do to fool your AV is be a large filesize....maybe we should all demand more from our AV? AutoIt is a great scripting language capable of much more than automating tasks. I open this to rebuttal: how specifically did AutoIt evade anything where most other languages would have been spotted? The article just says it did, but doesn't say why AutoIt is unique. Long live AutoIt.
  • Jeremiah Logan on

    I agree, the author focuses on the language as the culprit of the attack, rather than the people truly behind it. What was, in this case, done in AutoIt could just as easily have been done in another language. Not sure if the bias in the article is due to the author's not being familiar with AutoIt (lack of research), an inherent lack of technical knowledge, or simply a lack of journalistic integrity.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.