AutoHotkey is a free, open source hotkey scripting language under the Windows platform.
Researchers have discovered that hackers are spreading a new certificate stealer written in the AutoHotkey (AHK) scripting language as part of an ongoing campaign that began in early 2020.
Customers of financial institutions in the United States and Canada are the main targets of this attack, especially against banks such as Scotiabank, Royal Bank of Canada, HSBC, Alterna Bank, Capital One Bank, Manulife and EQ Bank, with the purpose of stealing users The bank card number and password, and an Indian bank: Indian Industrial Credit Investment Bank.
AutoHotkey is an open source custom scripting language for Microsoft Windows, designed to provide simple hot keys for macro creation and software automation, allowing users to automate repetitive tasks in any Windows application.
The multi-stage infection chain started with an Excel file with malware embedded in the Visual Basic for Applications (VBA) AutoOpen macro, which was then used to pass a legitimate portable AHK script compiler executable file (“adb.exe”). “) Delete and execute the downloader client script (“adb.ahk”).
The downloader client script is also responsible for achieving persistence, analyzing victims, and downloading and running additional AHK scripts from command and control (C&C) servers located in the United States, the Netherlands, and Sweden.
The difference between this malware is that instead of receiving commands directly from the C&C server, it downloads and executes AHK scripts to complete different tasks.
Trend Micro researchers stated in an analysis report :
“By doing this, the attacker can decide to upload specific scripts to implement customized tasks for each user or user group. This also prevents the main components from being disclosed, especially to other researchers or sandboxes.”
The most important one is a certificate stealing program that targets various browsers, such as Google Chrome, Opera, Microsoft Edge, etc. After the installation is complete, the attacker will also try to download the SQLite module (“sqlite3.dll”) on the infected computer and use the module to execute SQL queries on the SQLite database in the browser’s application folder.
In the last step, the attacker collects and decrypts the credentials from the browser, and expands the information to the C&C server in plain text via an HTTP POST request.
Researchers have noticed that the malware components are “organized at the code level,” and the suggested instructions (written in Russian) may mean the “hiring hackers” organization behind the creation of the attack chain and offering it to others as a service.
The researchers concluded:
“By using scripting languages that lack a built-in compiler in the victim’s operating system, loading malicious components to complete various tasks, and frequently changing the C&C server, attackers have been able to hide their attack intentions in the sandbox.”