AutoHotkey-Based credential stealer targets bank in the US and Canada

Experts spotted a new credential stealer written in AutoHotkey (AHK) scripting language that is targeting the US and Canadian bank customers.

Security experts from Trend Micro have discovered a new credential stealer written in AutoHotkey (AHK) scripting language that is targeting the US and Canadian bank customers as part of an ongoing campaign that has begun in early 2020.

AutoHotkey is an open-source scripting language for Windows that provides easy keyboard shortcuts or hotkeys, fast micro-creation, and software automation. AHK allows users to create a “compiled” .EXE with their code in it.

The campaign leverages a multi-stage infection chain that starts with a weaponized Excel file.

The malware infection consists of multiple stages that start with a malicious Excel file. The Office file contains an AHK script compiler executable, a malicious AHK script file, and a Visual Basic for Applications (VBA) AutoOpen macro. 

The macro drops and executes the downloader client script (“adb.ahk”) via a legitimate portable AHK script compiler executable (“adb.exe”).

“The dropped adb.exe and adb.ahk play critical roles in this infection. The adb.exe is a legitimate portable AHK script compiler, and its job is to compile and execute the AHK script at a given path. By default (with no parameter), this executable executes a script with the same name in the same directory.” reads the analysis published by Trend Micro. “The dropped AHK script is a downloader client that is responsible for achieving persistence, profiling victims, and downloading and executing the AHK script on a victim system.”

The downloader client script was also used to achieve persistence, profiling victims, and downloading and running additional AHK scripts from C2.

Trend Micro’s telemetry allowed tracking C2 servers that are in the US, the Netherlands, and Sweden. 

The info-stealer doesn’t receive commands directly from the C&C server, instead, it downloads and executes AHK scripts to execute different actions.

“For command execution, the malware accepts various AHK scripts for different tasks per victim and executes these using the same C&C URL (instead of implementing all modules in one file and accepting the command to execute them).” continues the analysis. “By doing this, the attacker can decide to upload a specific script to achieve customized tasks for each user or group of users. This also prevents the main components from being revealed publicly, specifically to other researchers or to sandboxes.”

The credential stealer targets multiple browsers, including Google Chrome, Microsoft Edge, and Opera, then exfiltrates stolen info to the C&C server in plaintext via an HTTP POST request.

Experts noticed that the AHK delivered scripts were containing instructions in Russian on how to use the scripts, a circumstance that suggests that the threat actor behind the attacks is a “hack-for-hire.”

“By using a scripting language that lacks a built-in compiler within a victim’s operating system, loading malicious components to achieve various tasks separately, and changing the C&C server frequently, the attacker has been able to hide their intention from sandboxes,” the researchers conclude.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, credential stealer)

[adrotate banner=”5″]

[adrotate banner=”13″]