1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

4/22/2019

0 Comments

Legitimate Windows Tool AutoHotkey Now Part of Cyber Attackers Arsenal to Avoid Detection

 
windows autohotkey

Legitimate Windows Tool AutoHotkey Now Part of Cyber Attackers Arsenal to Avoid Detection

Researchers at Trend Micro have discovered a new malicious software (malware) that uses the AutoHotkey – a Microsoft Windows tool initially aimed at providing easy keyboard shortcuts, enabling attackers to avoid detection, steal certain information and even gain remote control to a compromised computer.

This latest malware, according to Trend Microresearchers, initially infects a computer via a spear phishing attack, a form of a targeted cyber-attack that uses an email as a weapon. The malicious email used by the attackers contains a malicious attachment in the form of a disguised legitimate Excel file.

According to the researchers, at first glance, this disguised Excel file has only one filled sheet. Upon scrutiny, however, this file has another sheet with two blank columns. Upon closer look, the attackers had written malicious code on these two columns using white font, hiding the code in plain view.

Once the email receiver enables macro to open the disguised Excel file, AutoHotkey is then dropped onto the victim’s computer. The researchers said that the legitimate tool AutoHotkey allows the attackers to connect to the server that they control every 10 seconds to download, save and execute script files.

AutoHotkey, in this case, downloaded and executed TeamViewer, a software that allows attackers to gain remote control over the compromised computer. The researchers noted that AutoHotkey can download and execute other script files depending on the command it receives from the server controlled by the attackers.

Other malicious acts activated via AutoHotkey in this newly discovered malware include the creation of a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart, and the sending of the volume serial number of the C drive, which allows the attacker to identify the victim’s computer.

“We have yet to conclude this attack’s exact purpose,” researchers at Trend Micro said. “For now, we can surmise that it has the makings of a potential targeted attack because of its cyber espionage capabilities, as well as the potential for delivering ransomware and coinminer.”

History of AutoHotkey

AutoHotkey software is a free, open-source scripting language that was initially developed at providing easy keyboard shortcuts for Windows. This software, later on, evolved into something more than providing easy keyboard shortcuts as it allows Windows users to automate any desktop tasks, including monitoring programs, setting up scheduled tasks, and automating repetitive operations inside third-party software. The software was initially released 10 years ago, with the stable release of the software done only in November 2018.

The evolution of AutoHotkey made it an attractive tool for attackers. AutoHotkey, also known in the online gaming community as AHK, has been used numerous times in creating online game cheating tools. Beyond the gaming world, cyber attackers with varied criminal intents have made AutoHotkey as an addition to their attack arsenal.

An example of malware that abuses AutoHotkey is the malware called “Win32/Ahkarun.A”, an AutoHotKey compiled script that spreads itself without any human interaction through removable drives and sends the user's IP address to a remote server. According to Microsoft, which reported about the malware in June 2008, Ahkarun uses the common icon resembling a Windows file folder in order to trick a user into opening and executing the malware.

Once executed on the victim’s computer, this malware then awaits connections of removable media such as USB thumb drives, and when this happens the malware copies itself and components to the removable drive, and as a result performing malicious actions such as identifying the IP address of the infected machine and sending the obtained IP address to a predefined email account.

In February 2018, the research team at Ixiareported two cases of AutoHotkey-based malware, one distributing an cryptocurrency mining malware and the other distributing a clipboard hijacker. In cryptocurrency mining, an attacker hijacks the computing power of someone else’s computer for cryptocurrency mining. In clipboard hijacking, meanwhile, in the AutoHotkey-based malware discovered by the Ixia research team stays in the compromised computer’s memory and awaits for any activity in the clipboard. When a user inputs into the clipboard a cryptocurrency wallet address, the malware replaces the user’s cryptocurrency wallet address to the address owned and controlled by the attacker, thus tricking the victim into sending cryptocurrency to the attacker instead.

In March 2018, researchers at Cybereasondiscovered an AutoHotkey-based malware they called “Fauxpersky” as this malware masquerades as Kaspersky Antivirus and spreads through infected USB drives. Fauxpersky has a keylogging feature, recording every keystroke made by a computer user, exfiltrating the data recorded through Google Forms and depositing it in the attacker’s inbox.

Prevention

As shown in the above-mentioned examples of AutoHotkey-based malware, criminals are starting to abuse legitimate Windows tool AutoHotkey. Being a legitimate Windows tool, often used by system administrators, AutoHotkey flies under the radar and drops a varied range of payloads – part of the malware that performs malicious actions – without triggering any anti-malware alarms.

One of the reasons why we see lesser abuses of AutoHotkey by cyber attackers, to date, is due to the fact that this software isn’t pre-installed on Windows computers. Attackers, therefore, have to take an extra step of dropping the software onto the victim’s computer and executing it in order for this tool to work.

Training your organization’s staff to recognize, avoid and report suspicious emails is one approach that could prevent AutoHotkey abuses. As exemplified in the newly discovered AutoHotkey-based malware, attackers initially infect their victims through phishing attacks, a type of cyber attack that utilized emails as a weapon.

Another approach in preventing AutoHotkey abuses is by disabling your organization’s active content (data connections or macros). When active content is disabled, the next time your organization’s staff receives an active content via email, this content can’t be opened and the Message Bar with the notice "Macros have been disabled” will then appear as an alert that the active content may contain malware and other security hazards that could harm your organization’s computer or network.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit