AutoIT Malware infected thousands of computers worldwide

Pierluigi Paganini September 25, 2014

A Greek security researcher discovered a strain of malware which is a combination of AutoIT software and a commercial Keylogger named Limitless Keylogger.

A few days ago security a database containing 5 million alleged Google login and password has been leaked online on a Russian cyber security internet forum. Google immediately started its investigation and discovered that huge archive of Gmail credentials didn’t come from the security data breaches, rather the accounts’ data had been stolen by phishing attacks and other illegal practices, including social engineering attacks and malware based attacks.

Recently it has been discovered a malware which infected hundreds of thousands of computers worldwide with the purpose to syphon users’ data. The malware based attack allowed bad actors to steal social and banking site credentials.

A Greek security researcher discovered a new strain of malware spread via spam email infecting rapidly a huge number of machines. The expert detected the malware while it was attacking his corporate honeypot and conducted technical analyses posting its results on a blog post. The malware appears as a combination of software AutoIT (Automate day-to-day tasks on computers) and a commercial Keylogger named “Limitless Keylogger”. The researchers highlighted the use of Limitless Keylogger to intercept every keystrokes users press and send them back to the attackers via email, meanwhile AutoIT was adopted in order to evade detection by Antivirus programs.

The use of Keylogger confirms the intention of attackers into users’ credentials for most popular web services, including Email accounts, Social Media accounts and Online Bank accounts.

The researcher explained that malware is sent as mail attachment with a customized icon.

“The mail attachment, contained this file. An executable with a custom icon. After a fast static analysis, it is recognised to be a WinRAR SFX executable with some dummy comments.”  states the researcher.

 The malicious file archive includes the following files:
  • AutoIT script ‘update.exe’ of 331MB
  • Python script to “deobfuscate” AutoIT script
  • oziryzkvvcpm.AWX – Settings for AutoIT script
  • sgym.VQA – Another Encrypted malware/Payload Binary
AutoIT malware Limitless keylogger malware

The researcher discovered that originally the AutoIT Script size is 331MB, but once “deobfuscate” it appears as a tiny malicious code with only 55 kb in size.

The threat actor dedicated great attention to evasion technique, he implemented several functionalities to keep hidden malware and its activities.

The Greek researcher has analyzed the network traffic produced by the malware, in particular, he sniffed SMTP data, discovering that information collected from the keylogger was sent to a specific email, “[email protected]”.


AutoIT malware Limitless-keylogger-traffic


The researcher speculated that a group of Indonesian hackers is behind the spam campaign and the cyber criminals are targeting popular companies from different industries.

Possibly some Indonesian hackers might have used the malicious software available on the Russian hacking forum sites”  “and the targets are well known companies from retail industryoilairlines etc” said the researcher.

The researcher closes the post with an interesting observation it seems that cyber criminals forgot their keylogger logs in public!

AutoIt malware Limitless keylogger traffic google search

“If we de-base64 the traffic send by the Limitless Logger via mail, and search the pattern in google, you can find some interesting things.. :D

Pierluigi Paganini

(Security Affairs – AutoIT  malware, cybercrime)

you might also like

leave a comment