This executable by default (with no passing parameter), executes an AHK script with the same name in the same directory which is in this case adb.ahk. With the multi-stage infection chain leveraging on a malware-laced Excel file that's embedded in a Visual Basic for Applications (VBA) AutoOpen macro, which subsequently is used to drop and execute the downloader client script ("adb.ahk") through a legitimate portable AHK script compiler executable ("adb.exe").Īnd the downloader client also creates an autorun link for adb.exe in the startup folder, which portable compiler is used to compile and execute the AHK script.
The downloader client script is responsible for the persistence, profiling of victims, and downloading additional AHK scripts from the command-and-control (C&C) servers which are located in the US, the Netherlands, and Sweden. Also, they are targeting financial institutions in the US and Canada. The full attack chain depicted below tracked the malware’s command-and-control (C&C) servers to determined the actual location, as these come from the US, the Netherlands, and Sweden. How AutoHotkey is used as Password Stealer to Target US and Canadian Banking Users? Albeit, AHK allows the creation of a “compiled”. While threat actors have generally employed scripting language that has no built-in compiler within victims' operating system, and so can’t be executed without its compiler such as Python, AutoIT, and AutoHotkey (AHK) scripting language. AutoHotkey (AHK) is an open-source scripting language used for Microsoft Windows to provide easy macro-creation hotkeys and software automation that allow users to automate repetitive tasks within Windows apps.Īccording to Trend Micro researchers, a recent campaign that distributed a credential stealer was discovered that is written in AHK and tracking the campaign, shows that its activity has been ongoing since early 2020.
0 kommentar(er)
