Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SysAdmin admin tool AutoIt used in targeted attacks to serve malware

Security experts at Cisco have uncovered a targeted attack leveraging on AutoIt to serve a RAT and other malware by evading detection. Security experts at Cisco uncovered a targeted hacking campaign that leveraged AutoIt to spread RAT and other malware via Word documents. The RATs were used to compromise computer of a small number of organizations. “AutoIt […]

Trigona ransomware

Security experts at Cisco have uncovered a targeted attack leveraging on AutoIt to serve a RAT and other malware by evading detection.

Security experts at Cisco uncovered a targeted hacking campaign that leveraged AutoIt to spread RAT and other malware via Word documents. The RATs were used to compromise computer of a small number of organizations.

“AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys).”

The attackers behind the targeted attacks used macros as the attack vector, a trend that was already observed by security experts in the last months.

Despite the macros are disabled by default since Office 2007, the experts at Cisco explained that attackers are still able to convince victims to enable them by using social engineering techniques.

“In this case, they’re impersonating a legitimate business. If the message is convincing enough, they could lower their guard and enable macros if they believe doing so will fully render a document or allow them to see the encoding of images a document may contain,” explained the Cisco Talos researcher Alex Chiu. “We’ve seen these techniques used with several targeted Dridex campaigns. They’re taking techniques that are old, and in this case, making them useful again.”

The use of AutoIt is not new in the community of malware authors, in September 2014 a Greek security researcher discovered a new strain of malware spread via spam email infecting rapidly a huge number of machines. The malware appeared as a combination of software AutoIT (Automate day-to-day tasks on computers) and a commercial Keylogger named “Limitless Keylogger.” The researchers highlighted the use of Limitless Keylogger to intercept every keystrokes users press and send them back to the attackers via email, meanwhile, AutoIT was adopted in order to evade detection by Antivirus programs.

In the case of the last targeted campaign, the experts at Cisco revealed that the victim is urged to enable macros on a Word document that pretends to be from a legitimate business. Once the victim enables the macro, it downloads the binary from hxxp://frontlinegulf[.]com/tmp/adobefile.exe where it downloads a binary.

autoit phish doc

The experts observed that attackers change regularly the malicious payloads, and AutoIt was one of them.

“Utilizing AutoIT within a payload is unique because it is a legitimate management tool. In this attack, AutoIT was utilized to install a Remote Access Trojan (RAT) and maintain persistence on the host in a manner that’s similar to normal administration activity.” states the blog post from Cisco. “Adversaries are using legitimate freeware to fly under the radar,” Chiu said. “It can hide as white noise because it appears as a management task.” Chiu said it’s unknown whether the targeted organizations already were using AutoIt in their environments.

The researchers also discovered that the attackers download on the infected machine a 600MB AutoIt script that includes payload decryption routines, anti analysis modules, and code for the installation of a malware. According to Cisco the AutoIt script also installs either the Cybergate RAT, NanoCore RAT, or the Parite worm.

The researchers explained that the script looks for a particular antivirus installed and if detected, it sleeps for a defined period of time before executing. Once it goes into running mode it tries to disable Windows User Access Control (UAC) in order to establish persistence on the target and decrypt its payload.

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – RAT, AutoIt)

[adrotate banner=”5″]

[adrotate banner=”13″]