CyberSecurity news

FlagThis

@gbhackers.com //
Cybersecurity researchers have recently uncovered a sophisticated malware campaign targeting Windows systems through the exploitation of AutoIT scripts. AutoIT, a scripting language initially designed for Windows automation, has become a popular tool in the malware ecosystem due to its simplicity and ability to interact with various Windows components. This particular campaign stands out for its use of a double layer of AutoIT code and intricate obfuscation techniques, allowing it to evade detection and maintain persistence on infected machines.

The attack begins with a compiled AutoIT executable file named "1. Project & Profit.exe" (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). Upon execution, this file downloads an AutoIT interpreter, saving it as "C:\Users\Public\Guard.exe," along with another AutoIT script, stored as "Secure.au3," and a PowerShell script named "PublicProfile.ps1." The "PublicProfile.ps1" script is immediately generated and executed, facilitating further stages of the infection. Persistence is achieved by creating a .url shortcut in the Windows Startup directory, ensuring that a JavaScript file is triggered upon each user login. This JavaScript file then re-executes the AutoIT interpreter with a second-stage script, keeping the malicious processes active.

The second layer of AutoIT code, referred to as script "G," employs heavy obfuscation to hinder analysis. All strings within this script are encoded using a custom function called "Wales," which transforms ASCII values into a readable format only after decoding. An example of this obfuscation is the encoded sequence "80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41," which, when decoded, reveals "ProcessExists('avastui.exe')." This suggests the malware checks for antivirus processes to potentially avoid detection or alter its behavior. The attack culminates in the execution of a malicious DLL named "Urshqbgpm.dll" by injecting it into a "jsc.exe" process.
Original img attribution: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaCY7MM11p_Sd8yAttpRzshuTYx3P75bDeQM8ipSh9R_i5J9NP9Kn6uBX4vUXCTpgodwsnNjKAN3GcDKpQYF6VqsilMAEG1hP_uOTVyqJy77v-VsdIclgNRsaWecfDbswDuI00TbS-vx2vxNktxJPmYwZ2pE665qTrt0XBxNVTIoAWg9sPUrZNZz8GWhw/s16000/AutoIT%20Scripts.webp
ImgSrc: blogger.googleu

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberpress.org: Hackers Use AutoIT Scripts to Spread Malware on Windows Systems
  • isc.sans.edu: RAT Dropped By Two Layers of AutoIT Code, (Mon, May 19th)
  • gbhackers.com: Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems
Classification: