Security firm Trend Micro has seen an uptick in AutoIT-based malware thanks to the fact that it’s an easy-to-learn language that allows for quick development. It enables everything from simple scripts that change text files to scripts that perform mass downloads with complex GUIs. One commonly seen nefarious AutoIT tool code being uploaded to Pastebin is a keylogger.
“Grabbing this code, anyone with bad intentions can quickly compile and run it in a matter of seconds,” said threat researcher Kyle Wilhoit. “Upon compiling and executing the script, it creates two files – one that displays the correlated keystrokes in a local HTML page, and a second file that is a zip file of the first file – likely for exfiltration.”
In addition to keyloggers, Remote Access Trojan (RAT)-builders and server administrators based on AutoIT are becoming more prevalent.
“One RAT-builder identified was particularly interesting, as it showed a relatively professional level of development,” Wilhoit said. “Upon connecting to this RAT builder/administrator, the nefarious actor can get a remote shell and perform a litany of other system tasks on the victim. Further analysis of this RAT builder traces the developer back to several underground forums.”
Trend Micro also found a tremendous increase recently in the amount of malware utilizing AutoIT as a scripting language. One piece of malware that was found in the wild is a variant of the popular DarkComet RAT, using AutoIT. This variant runs a backdoor on the victim machine and communicates outbound to a malicious host. It also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency.
Upon execution of the malware, it immediately disables the Windows Firewall, and then disables the ability to get into the registry of Windows to view or undo the changes performed. Worst of all, it’s detected very sparsely by anti-virus products.
“The increased usage of AutoIT is likely attributed to the fact that AutoIT is scalable, very similar to Basic, and is outrageously easy to code in,” Wilhoit said. “This ease of use takes the learning curve off learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language.”
In addition, the ability to host code on Pastebin, natively compile, and run applications in stand-alone executable files makes it very quick to develop in. Meanwhile, he added, native support of UPX packing in AutoITmakes obfuscation easy for AutoIT applications.
“As scripting languages like AutoIT continue to gain popularity, we expect more of these types of malware to make a migration to using them,” Wilhoit said.