Legitimate Windows Tool AutoHotkey Now Part of Cyber Attackers Arsenal to Avoid Detection

Legitimate Windows Tool AutoHotkey Now Part of Cyber Attackers Arsenal to Avoid Detection

Researchers at Trend Micro have discovered a new malicious software (malware) that uses the AutoHotkey – a Microsoft Windows tool initially aimed at providing easy keyboard shortcuts, enabling attackers to avoid detection, steal certain information and even gain remote control to a compromised computer.

This latest malware, according to Trend Microresearchers, initially infects a computer via a spear phishing attack, a form of a targeted cyber-attack that uses an email as a weapon. The malicious email used by the attackers contains a malicious attachment in the form of a disguised legitimate Excel file.

According to the researchers, at first glance, this disguised Excel file has only one filled sheet. Upon scrutiny, however, this file has another sheet with two blank columns. Upon closer look, the attackers had written malicious code on these two columns using white font, hiding the code in plain view.

Once the email receiver enables macro to open the disguised Excel file, AutoHotkey is then dropped onto the victim’s computer. The researchers said that the legitimate tool AutoHotkey allows the attackers to connect to the server that they control every 10 seconds to download, save and execute script files.

AutoHotkey, in this case, downloaded and executed TeamViewer, a software that allows attackers to gain remote control over the compromised computer. The researchers noted that AutoHotkey can download and execute other script files depending on the command it receives from the server controlled by the attackers.

Other malicious acts activated via AutoHotkey in this newly discovered malware include the creation of a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart, and the sending of the volume serial number of the C drive, which allows the attacker to identify the victim’s computer.

“We have yet to conclude this attack’s exact purpose,” researchers at Trend Micro said. “For now, we can surmise that it has the makings of a potential targeted attack because of its cyber espionage capabilities, as well as the potential for delivering ransomware and coinminer.”

History of AutoHotkey

AutoHotkey software is a free, open-source scripting language that was initially developed at providing easy keyboard shortcuts for Windows. This software, later on, evolved into something more than providing easy keyboard shortcuts as it allows Windows users to automate any desktop tasks, including monitoring programs, setting up scheduled tasks, and automating repetitive operations inside third-party software. The software was initially released 10 years ago, with the stable release of the software done only in November 2018.

The evolution of AutoHotkey made it an attractive tool for attackers. AutoHotkey, also known in the online gaming community as AHK, has been used numerous times in creating online game cheating tools. Beyond the gaming world, cyber attackers with varied criminal intents have made AutoHotkey as an addition to their attack arsenal.

An example of malware that abuses AutoHotkey is the malware called “Win32/Ahkarun.A”, an AutoHotKey compiled script that spreads itself without any human interaction through removable drives and sends the user's IP address to a remote server. According to Microsoft, which reported about the malware in June 2008, Ahkarun uses the common icon resembling a Windows file folder in order to trick a user into opening and executing the malware.

Once executed on the victim’s computer, this malware then awaits connections of removable media such as USB thumb drives, and when this happens the malware copies itself and components to the removable drive, and as a result performing malicious actions such as identifying the IP address of the infected machine and sending the obtained IP address to a predefined email account.

In February 2018, the research team at Ixiareported two cases of AutoHotkey-based malware, one distributing an cryptocurrency mining malware and the other distributing a clipboard hijacker. In cryptocurrency mining, an attacker hijacks the computing power of someone else’s computer for cryptocurrency mining. In clipboard hijacking, meanwhile, in the AutoHotkey-based malware discovered by the Ixia research team stays in the compromised computer’s memory and awaits for any activity in the clipboard. When a user inputs into the clipboard a cryptocurrency wallet address, the malware replaces the user’s cryptocurrency wallet address to the address owned and controlled by the attacker, thus tricking the victim into sending cryptocurrency to the attacker instead.

In March 2018, researchers at Cybereasondiscovered an AutoHotkey-based malware they called “Fauxpersky” as this malware masquerades as Kaspersky Antivirus and spreads through infected USB drives. Fauxpersky has a keylogging feature, recording every keystroke made by a computer user, exfiltrating the data recorded through Google Forms and depositing it in the attacker’s inbox.

Prevention

As shown in the above-mentioned examples of AutoHotkey-based malware, criminals are starting to abuse legitimate Windows tool AutoHotkey. Being a legitimate Windows tool, often used by system administrators, AutoHotkey flies under the radar and drops a varied range of payloads – part of the malware that performs malicious actions – without triggering any anti-malware alarms.

One of the reasons why we see lesser abuses of AutoHotkey by cyber attackers, to date, is due to the fact that this software isn’t pre-installed on Windows computers. Attackers, therefore, have to take an extra step of dropping the software onto the victim’s computer and executing it in order for this tool to work.

Training your organization’s staff to recognize, avoid and report suspicious emails is one approach that could prevent AutoHotkey abuses. As exemplified in the newly discovered AutoHotkey-based malware, attackers initially infect their victims through phishing attacks, a type of cyber attack that utilized emails as a weapon.

Another approach in preventing AutoHotkey abuses is by disabling your organization’s active content (data connections or macros). When active content is disabled, the next time your organization’s staff receives an active content via email, this content can’t be opened and the Message Bar with the notice "Macros have been disabled” will then appear as an alert that the active content may contain malware and other security hazards that could harm your organization’s computer or network.