Early this year, Trend Micro researcher Kyle Wilhoit observed an increase in the use of AutoIt in several hacker tools and malware, which were typically uploaded on sites like Pastebin and Pastie. In the said blog post, Kyle noted that because of AutoIt’s easy-to-learn language, we can expect more threat actors to incorporate this scripting language in their schemes. Now we’ve learned that he was right, as we are seeing more malware using AutoIt.
We recently encountered a ZeuS variant that arrives with a malicious AutoIt file and garbage files. It arrives via spammed email message and the unpacked file it arrives with is detected as TSPY_ZBOT.SMIG. Like any ZeuS/ZBOT variant, TSPY_ZBOT.SMIG drops a configuration file that contains a list of its targeted banks and other financial sites. It also steals information from different FTP sites and steals personal certificates from the infected system
In addition, we also spotted two other malware that use the same packer, which Trend Micro detects as TSPY_CHISBURG.A and TSPY_EUPUDS.A. When TSPY_CHISBURG.A is loaded into memory, it steals user names and passwords from Yahoo, Hotmail, Pidgin, FileZilla, and VPN/ISP credentials among others. Similarly, TSPY_EUPUDS.A gets data from the infected system such as user ID, browser and version, and OS version. It also steals information like user names and passwords stored in certain browsers. Cybercriminals may use the gathered information to sell in the underground cybercrime or to launch other attacks.
The new AutoIt packer tool code found online contains the ability to propagate via removable drives, has installation routines and checks installed antivirus software on the system. Furthermore, its code has garbage codes and obfuscated functions to make it harder to analyze. And while these malware (TSPY_CHISBURG.A and TSPY_EUPUDS.A) are old, they remain to be an effective means to steal information especially with the added capability of the AutoIt packer.
With the incorporation of malware to a scripting language such as AutoIt, it makes analysis arduous especially if there is no decompiler that can aid in the analysis. AutoIt is also used by normal applications, thus there is need for malware which are compressed to be unpacked so as to get only the malicious routines/behavior.
To avoid these malware, we advise users to be wary of the email messages they receive and avoid executing the attachment(s) that goes along with them. Users are also encouraged to regularly update their systems and anti-malware software to ensure protection. Trend Micro detects and deletes all the malware reported in this post through the Smart Protection Network.
With additional insights from Rika Gregorio.