The Morphisec Labs team has been observing an ongoing RAT delivery campaign since February this year. This campaign heavily uses the AutoHotKey scripting language that is frequently used for testing purposes.
In a blog post detailing the campaign, Morphisec described various attack chains. The researchers attribute them to the same actor based on the fact that actors dropped a legitimate application before performing malicious activity, used the same resource naming convention (*.MP4, KELLVBS.VBS, CONHOST.EXE, etc.), the AHK script has a strong resemblance across all of the chains (uses commands FileInstall, run, sleep etc.), use the same directory spamming technique, and use the same scripts and UAC bypass technique to disable the Defender.
The Morphisec Labs team has identified at least four versions of the RAT delivery campaign in multiple adaptations over the past three months.
In the blog post, researchers highlight interesting and rare techniques that the attackers use:
- Manifest flow hijack through VbsEdit manipulation
- UAC bypass
- Emulator bypass
- In-place compilation
- Delivery through text share services
In the campaign, the attackers use a legitimate application to disguise their operations. They identified several attack chains linked to this campaign.
An attack chain starts from an AutoHotKey (AHK) compiled script, an executable containing AHK interpreter, the AHK script, and files acquired via the FileInstall command. This leads to the different VBScripts that eventually load some kind of a RAT.
The researchers observed various RATs distributed via an AHK compiled script.
The first malware Morphisec observed delivered via this AHK Loader was the VjW0rm and Houdini RAT. This attack chain is still in use today with several changes over time, researchers say.
The threat actors try to study what security controls like emulators, antivirus, and UAC the victim has, and then develop techniques to bypass and evade them. The techniques used by attackers to bypass passive security controls always involved the abuse of process memory “because it’s typically a static and predictable target for the adversary,” researchers explained.
The attack is still ongoing, and the Morphisec Labs team says in order to keep “the manual tradecraft employed by innovative attackers like this one” at bay, and advises using a “modern” security solution that will detect such attacks.