Now, Morphisec Labs researchers have discovered a unique and ongoing RAT delivery campaign which started in February of 2021, that heavily relies on the AutoHotKey scripting languages. According to the researchers, there has been at least four different versions of the campaign spotted since February 2021.
Irrespective of the attack chain scenario, it begins with an AHK executable that drops and execute different VBScripts which eventually load the RAT on a compromised machine.
How AutoHotkey-based RAT Loader are Increasingly employed in Malware Campaigns?
Threat actors have generally used scripting language that has no built-in compiler on victims' operating system, and which can’t be executed without its compiler, such as AutoIT, Python, and AutoHotkey (AHK) scripting language.
The first attack detected on March 31 shows that the adversary behind the campaign encapsulated the dropped RAT with an AHK executable, disabling Microsoft Defender using a Batch script and a shortcut (.LNK) file pointing to the script. While in the second attack scenario, the malware block connections to popular antivirus solutions through the altering of the victim's hosts file, which denies the DNS resolution for these domains by resolving the localhost IP address in place of the real one.
Similarly, another AHK loader chain observed on April 26 delivered the LimeRAT through an obfuscated VBScript, which then is decoded into a PowerShell command which retrieves a C# payload containing the final-stage executable from a sharing platform service called "stikked.ch." And the last attack chain discovered on April 21 employed an AHK script to execute a legitimate app, and drops a VBScript that runs an in-memory PowerShell script to install AsyncRAT and fetch the HCrypt malware loader.
How to Safeguard against AutoHotkey-Based Malware Attacks
Threat actors develop techniques to bypass and evade modern security conventions, but the tactical goals had remained the same. Even as the technique changes to bypass passive security controls, common denominator among these evasive techniques is the abuse of process memory which is a static and predictable target for the adversary.
Therefore, we still need the baseline security controls to keep the automated attacks at bay and as the innovative attackers like the current scenarios require a modern approach to security.