RAT Uses Autohotkey

The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that heavily uses the AutoHotKey scripting language, a fork of the AutoIt language that is frequently used for testing purposes.

Researchers identified at least four versions of the RAT delivery campaign, each of which includes multiple advancements and adaptations over the past three months.

Attack Chain Highlighting Rare Techniques that the Attackers Use

  • Manifest flow hijack through VbsEdit manipulation
  • UAC bypass
  • Emulator bypass
  • Tampering with Microsoft Defender and other antivirus products
  • In-place compilation
  • Delivery through text share services

RAT Delivery Campaign

The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script. This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command.

In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions.

EHA

Researchers observed various RATs distributed via a simple AHK compiled script. They also identified several attack chains all of which start with an AHK executable that leads to the different VBScripts that eventually load the RAT.

Attack Chain

A second version of the malware was found to block connections to popular antivirus solutions by tampering with the victim’s hosts file. “This manipulation denies the DNS resolution for those domains by resolving the localhost IP address instead of the real one,” the researchers explained.

Another loader chain observed that involved delivering the LimeRAT via an obfuscated VBScript, which is then decoded into a PowerShell command that retrieves a C# payload containing the final-stage executable from a Pastebin-like sharing platform service called “stikked.ch.”

Finally, a fourth attack chain discovered used an AHK script to execute a legitimate application, before dropping a VBScript that runs an in-memory PowerShell script to fetch the HCrypt malware loader and install AsyncRAT.

Morphisec researchers attributed all the different attack chains to the same threat actor, citing similarities in the AHK script and overlaps in the techniques used to disable Microsoft Defender.

Final Word

Since threat actors study baseline security controls like emulators, antivirus, and UAC, they develop techniques to bypass and evade them. “The technique changes detailed in this report did not affect the impact of these campaigns. The tactical goals remained the same.

Rather, the technique changes were to bypass passive security controls. A common denominator among these evasive techniques is the abuse of process memory because it’s typically a static and predictable target for the adversary”, Researchers said.

Also Read

Hackers Abuse Microsoft Build Engine to Deliver Password-Stealing Malware Filelessly

TeaBot – A New Malware that stealing victim’s Credentials and Intercepting SMS Messages

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.