Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    AutoIt is a very flexible coding language that’s been used since 1999 by coders looking for a fast, easy, and flexible scripting language in Windows. From simple scripts that change text files to scripts that perform mass downloads with complex GUIs, AutoIt is an easy-to-learn language that allows for quick development. The trend for malicious actors to use AutoIt to code malware and tools however has been increasing, and the trend appears to be getting stronger.

    AutoIt Hacker Tools

    Recently, we have seen an uptick in the amount of nefarious AutoIt tool code being uploaded to Pastebin. One commonly seen tool, for instance, is a keylogger. Grabbing this code, anyone with bad intentions can quickly compile and run it in a matter of seconds.

    Figure 1. FTP section of keylogger

    Figure 2. Sample Code

    Upon compiling and executing the script, it creates two files – one that displays the correlated keystrokes in a local HTML page, and a second file that is a zip file of the first file – likely for exfiltration.

    In addition to keyloggers, RAT (Remote Access Trojans) builders and server administrators is becoming more prevalent. One RAT builder identified was particularly interesting, as it showed a relatively professional level of development.

    Figure 3. RAT connection tab

    Figure 4. RAT server builder

    Upon connecting to this RAT builder/administrator, the nefarious actor can get a remote shell and perform a litany of other system tasks on the victim. Further analysis of this RAT builder traces the developer back to several underground forums.

    AutoIt Malware

    In addition to tools being found on sites like Pastebin and Pastie, we are also seeing a tremendous increase in the amount of malware utilizing AutoIt as a scripting language. One piece of malware that was found in the wild was particularly interesting. This malware is a variant of the popular DarkComet RAT – utilizing AutoIt. This variant runs a backdoor on the victim machine and communicates outbound to a nefarious host at shark18952012.no-ip.info (188.161.9.226 at the time of writing) over port 1604.

    Figure 5. RAT communication

    In addition to this malware’s outbound communication, it also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency. This variant also drops the following file after execution:

    File Name

    MD5

    File Type

    tb2323xt.exe

    a53056c5afd30f174af928bd44c05c01

    PE File

    Upon execution of the malware, it immediately disables the Windows Firewall.  After disabling the firewall, the malware then disables the ability to get into the registry of Windows to view or undo the changes performed. Attempting to do so brings up the following error message:

    Figure 6. Error message

    What’s interesting about this malware isn’t that it’s a DarkComet variant, it’s that it is written utilizing AutoIt and is detected very sparsely by antivirus products. (Trend Micro detects this malware as TROJ_FYNLOSKI.BU).

    Why Do Hackers Like It?

    The increased usage of AutoIt is likely attributed to the fact that AutoIt is scalable, very similar to Basic, and is outrageously easy to code in. This ease of use takes the learning curve off learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language. In addition, the ability to host code on Pastebin, natively compile, and run applications in stand-alone executable files makes it very quick to develop in. Finally, the ability to natively support UPX packing in AutoIt makes obfuscation easy for AutoIt applications.

    Conclusion

    As scripting languages like AutoIt continue to gain popularity, we expect more of these types of malware to make a migration to using them. The ease of use and learning, as well as the ability to post code easily to popular dropsites make this a great opportunity for actors with nefarious intentions to propagate their tools and malware. We recommend continuing to update your Anti-Virus signatures as well as consider blocking access to Pastebin, Pastie and other code dropsites on your corporate network where applicable.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice