According to Trend Micro researchers, a recent campaign that distributed a credential stealer was discovered that is written in AHK and tracking the campaign, shows that its activity has been ongoing since early 2020.
While threat actors have generally employed scripting language that has no built-in compiler within victims' operating system, and so can’t be executed without its compiler; such as Python, AutoIT, and AutoHotkey (AHK) scripting language. Albeit, AHK allows the creation of a “compiled” .EXE with users code in it.
How AutoHotkey is used as Password Stealer to Target US and Canadian Banking Users?
The full attack chain depicted below tracked the malware’s command-and-control (C&C) servers to determined the actual location, as these come from the US, the Netherlands, and Sweden. Also, they are targeting financial institutions in the US and Canada.
The downloader client script is responsible for the persistence, profiling of victims, and downloading additional AHK scripts from the command-and-control (C&C) servers which are located in the US, the Netherlands, and Sweden. With the multi-stage infection chain leveraging on a malware-laced Excel file that's embedded in a Visual Basic for Applications (VBA) AutoOpen macro, which subsequently is used to drop and execute the downloader client script ("adb.ahk") through a legitimate portable AHK script compiler executable ("adb.exe").
And the downloader client also creates an autorun link for adb.exe in the startup folder, which portable compiler is used to compile and execute the AHK script. This executable by default (with no passing parameter), executes an AHK script with the same name in the same directory which is in this case adb.ahk.
The script keep track of each user by generating a unique ID for the victims based on the serial number of the C drive, which the malware then goes through an infinite loop and starts to forward an HTTP GET request with the generated ID every five seconds. The ID serves as the path to its C&C server to retrieve and execute the AHK script on an infected system.
Final steps that the stealer takes to collect and decrypt credentials
The steps the stealer takes to collects and decrypts credentials from browsers and exfiltrates the data to its C&C server happens in plaintext via an HTTP POST request.
And the malware components are "well organized at the code level," which makes the researchers to suggest that the inclusion of instructions written in Russian language could mean a "hack-for-hire" group is actually behind the attack chain and it's offering it as a service. This malware is quite different in that instead of getting commands directly from the command-and-control (C&C) server, it goes on to download and execute AHK scripts in order to accomplish its tasks.