The Morphisec Labs crew has tracked a novel and ongoing RAT supply marketing campaign that closely makes use of the AutoHotKey scripting language, a fork of the AutoIt language that’s incessantly used for testing functions.
Researchers recognized a minimum of 4 variations of the RAT supply marketing campaign, every of which incorporates a number of developments and diversifications over the previous three months.
Assault Chain Highlighting Uncommon Methods that the Attackers Use
- Manifest movement hijack by means of VbsEdit manipulation
- UAC bypass
- Emulator bypass
- Tampering with Microsoft Defender and different antivirus merchandise
- In-place compilation
- Supply by means of textual content share providers
RAT Supply Marketing campaign
The RAT supply marketing campaign begins from an AutoHotKey (AHK) compiled script. This can be a standalone executable that accommodates the next: the AHK interpreter, the AHK script, and any recordsdata it has included through the FileInstall command.
On this marketing campaign, the attackers incorporate malicious scripts/executables alongside a professional software to disguise their intentions.
Researchers observed varied RATs distributed through a easy AHK compiled script. In addition they recognized a number of assault chains all of which begin with an AHK executable that results in the totally different VBScripts that finally load the RAT.
A second model of the malware was discovered to dam connections to standard antivirus options by tampering with the sufferer’s hosts file. “This manipulation denies the DNS decision for these domains by resolving the localhost IP handle as a substitute of the true one,” the researchers defined.
One other loader chain noticed that concerned delivering the LimeRAT through an obfuscated VBScript, which is then decoded right into a PowerShell command that retrieves a C# payload containing the final-stage executable from a Pastebin-like sharing platform service known as “stikked.ch.”
Lastly, a fourth assault chain found used an AHK script to execute a professional software, earlier than dropping a VBScript that runs an in-memory PowerShell script to fetch the HCrypt malware loader and set up AsyncRAT.
Morphisec researchers attributed all of the totally different assault chains to the identical menace actor, citing similarities within the AHK script and overlaps within the methods used to disable Microsoft Defender.
Since menace actors examine baseline safety controls like emulators, antivirus, and UAC, they develop methods to bypass and evade them. “The method adjustments detailed on this report didn’t have an effect on the affect of those campaigns. The tactical objectives remained the identical.
Somewhat, the method adjustments had been to bypass passive safety controls. A typical denominator amongst these evasive methods is the abuse of course of reminiscence as a result of it’s usually a static and predictable goal for the adversary”, Researchers stated.