AutoIt Used To Spread Malware and Toolsets
AutoIt is a very flexible coding language that’s been used since 1999 by coders looking for a fast, easy, and flexible scripting language in Windows. From simple scripts that change text files to scripts that perform mass downloads with complex GUIs, AutoIt is an easy-to-learn language that allows for quick development. The trend for malicious actors to use AutoIt to code malware and tools however has been increasing, and the trend appears to be getting stronger
AutoIt Hacker Tools
Recently, we have seen an uptick in the amount of nefarious AutoIt tool code being uploaded to Pastebin. One commonly seen tool, for instance, is a keylogger. Grabbing this code, anyone with bad intentions can quickly compile and run it in a matter of seconds.
Figure 1. FTP section of keylogger
Figure 2. Sample Code
Upon compiling and executing the script, it creates two files – one that displays the correlated keystrokes in a local HTML page, and a second file that is a zip file of the first file – likely for exfiltration.
In addition to keyloggers, RAT (Remote Access Trojans) builders and server administrators is becoming more prevalent. One RAT builder identified was particularly interesting, as it showed a relatively professional level of development.
Figure 3. RAT connection tab
Figure 4. RAT server builder
Upon connecting to this RAT builder/administrator, the nefarious actor can get a remote shell and perform a litany of other system tasks on the victim. Further analysis of this RAT builder traces the developer back to several underground forums.
In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at shark18952012.no-ip.info (126.96.36.199 at the time of writing) over port 1604.
Figure 5. RAT communication
In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency. This variant also drops the following file after execution:
Upon execution of the malware, it immediately disables the Windows Firewall. After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed. Attempting to do so brings up the following error message:
Figure 6. Error message
What’s interesting about this malware isn’t that it’s a DarkComet variant, it’s that it is written utilizing AutoIt and is detected very sparsely by antivirus products. (Trend Micro detects this malware as TROJ_FYNLOSKI.BU).
Why Do Hackers Like It?
The increased usage of AutoIt is likely attributed to the fact that AutoIt is scalable, very similar to Basic, and is outrageously easy to code in. This ease of use takes the learning curve off learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language. In addition, the ability to host code on Pastebin, natively compile, and run applications in stand-alone executable files makes it very quick to develop in. Finally, the ability to natively support UPX packing in AutoIt makes obfuscation easy for AutoIt applications.
As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.