Recently, researchers discovered a unique and ongoing RAT delivery campaign that uses the AutoHotKey scripting language. Read on to know more…
A malware campaign that uses the AutoHotkey (AHK) scripting language to deliver several RATs, including LimeRAT, AsyncRAT, Houdini, Vjw0rm, and Revenge RAT, has been discovered. Since February, at least four separate variants of this malware campaign have been identified.
AutoHotKey scripts are actually designed to assist users in automating specific tasks by using pre-written scripts. These scripts are stored in a ‘.ahk’ file and run via an interpreter called AutoHotKey. However, it appears that cybercriminals have begun to take advantage of this useful feature to distribute and execute malicious software.
About AHK RAT Loader
In the months since its introduction, the AHK RAT Loader campaign has progressed rapidly, with several distinct attack chains, each becoming more sophisticated and gaining new functionalities. The final RAT payloads have also shown a great deal of variation, with the hackers first using the VjW0rm and Houdini RATs, before moving on to the njRAT, LimeRAT, and RevengeRAT.
The AsyncRAT was delivered as the final payload in an attack chain that used the AHK RAT Loader but differed from the rest of the operations in this campaign.
Working Mechanism
According to Morphisec Labs researchers, the RAT distribution campaign begins with an AHK compiled script. The AHK interpreter, script, and any files added via the FileInstall command are all included in the script.
By tampering with the victim’s host file, a second version first released on March 31 blocked connections to antivirus solutions. By resolving the localhost IP address instead of the actual one, this manipulation prevented DNS resolution for certain domains.
The third loader chain which was first discovered on April 8, delivered LimeRAT through an obfuscated VBScript, which was then decoded into a PowerShell command that retrieves a C# payload.
On May 2, a fourth attack chain delivered a VBScript that runs an in-memory PowerShell script to get the HCrypt loader and install AsyncRAT after running an AHK script to run a genuine application.
Past AHK Attacks
This isn’t the first time cybercriminals have used the AHK to hide detection. A credential stealer written in AHK was discovered targeting financial institutions in the United States and Canada last December.
The Mekotio banking trojan was discovered in March to be evading detection by exploiting AHK and AHK compiler. The trojan was stealing information from users and specifically targeting Spanish users.
Concluding Words
The threat actors create strategies to circumvent and evade baseline security measures such as emulators, antivirus, and User Access Controls (UAC) as they study them. The effect of these campaigns was unaffected by the technique changes. The operational objectives remained unchanged. Rather, the improvements in methodology were made to get around passive security controls. Since process memory is typically a static and predictable target for the adversary, it is a common denominator among these evasive techniques. These baseline controls are still needed to keep automated attacks at bay. However, the manual tradecraft used by creative attackers like this one necessitates a modern security strategy.
The threat actors can mask their purpose from sandboxes by using the AHK scripting language. Furthermore, the latest campaign employs cutting-edge methods to deliver multiple malware. Protecting against such threats necessitates a proactive protection strategy, so companies can conduct a proactive audit of their critical assets.