Security Affairs
Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

AutoIT Malware infected thousands of computers worldwide

A Greek security researcher discovered a strain of malware which is a combination of AutoIT software and a commercial Keylogger named Limitless Keylogger. A few days ago security a database containing 5 million alleged Google login and password has been leaked online on a Russian cyber security internet forum. Google immediately started its investigation and discovered that huge archive […]

AutoIT Malware infected thousands of computers worldwide

A Greek security researcher discovered a strain of malware which is a combination of AutoIT software and a commercial Keylogger named Limitless Keylogger.

A few days ago security a database containing 5 million alleged Google login and password has been leaked online on a Russian cyber security internet forum. Google immediately started its investigation and discovered that huge archive of Gmail credentials didn’t come from the security data breaches, rather the accounts’ data had been stolen by phishing attacks and other illegal practices, including social engineering attacks and malware based attacks.

Recently it has been discovered a malware which infected hundreds of thousands of computers worldwide with the purpose to syphon users’ data. The malware based attack allowed bad actors to steal social and banking site credentials.

A Greek security researcher discovered a new strain of malware spread via spam email infecting rapidly a huge number of machines. The expert detected the malware while it was attacking his corporate honeypot and conducted technical analyses posting its results on a blog post. The malware appears as a combination of software AutoIT (Automate day-to-day tasks on computers) and a commercial Keylogger named “Limitless Keylogger”. The researchers highlighted the use of Limitless Keylogger to intercept every keystrokes users press and send them back to the attackers via email, meanwhile AutoIT was adopted in order to evade detection by Antivirus programs.

The use of Keylogger confirms the intention of attackers into users’ credentials for most popular web services, including Email accounts, Social Media accounts and Online Bank accounts.

The researcher explained that malware is sent as mail attachment with a customized icon.

“The mail attachment, contained this file. An executable with a custom icon. After a fast static analysis, it is recognised to be a WinRAR SFX executable with some dummy comments.”  states the researcher.

 The malicious file archive includes the following files:
  • AutoIT script ‘update.exe’ of 331MB
  • Python script to “deobfuscate” AutoIT script
  • oziryzkvvcpm.AWX – Settings for AutoIT script
  • sgym.VQA – Another Encrypted malware/Payload Binary
AutoIT malware Limitless keylogger malware

The researcher discovered that originally the AutoIT Script size is 331MB, but once “deobfuscate” it appears as a tiny malicious code with only 55 kb in size.

The threat actor dedicated great attention to evasion technique, he implemented several functionalities to keep hidden malware and its activities.

The Greek researcher has analyzed the network traffic produced by the malware, in particular, he sniffed SMTP data, discovering that information collected from the keylogger was sent to a specific email, “ontherun4sales@yandex.ru”.

 

AutoIT malware Limitless-keylogger-traffic

 

The researcher speculated that a group of Indonesian hackers is behind the spam campaign and the cyber criminals are targeting popular companies from different industries.

Possibly some Indonesian hackers might have used the malicious software available on the Russian hacking forum sites”  “and the targets are well known companies from retail industryoilairlines etc” said the researcher.

The researcher closes the post with an interesting observation it seems that cyber criminals forgot their keylogger logs in public!

AutoIt malware Limitless keylogger traffic google search

“If we de-base64 the traffic send by the Limitless Logger via mail, and search the pattern in google, you can find some interesting things.. :D

Pierluigi Paganini

(Security Affairs – AutoIT  malware, cybercrime)