{"id":6080,"date":"2021-05-19T02:53:38","date_gmt":"2021-05-19T02:53:38","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=6080"},"modified":"2021-05-19T09:51:22","modified_gmt":"2021-05-19T09:51:22","slug":"rat-uses-autohotkey","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/","title":{"rendered":"A New Unique RAT Heavily Uses The Autohotkey Scripting Language On An Ongoing Malware Campaign"},"content":{"rendered":"\n<p>The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that heavily uses the AutoHotKey scripting language, a fork of the AutoIt language that is frequently used for testing purposes.<\/p>\n\n\n\n<p>Researchers identified at least four versions of the RAT delivery campaign, each of which includes multiple advancements and adaptations over the past three months.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Attack Chain Highlighting Rare Techniques that the Attackers Use<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Manifest flow hijack through VbsEdit manipulation<\/li><li><a href=\"https:\/\/attack.mitre.org\/techniques\/T1548\/002\/\" target=\"_blank\" rel=\"noreferrer noopener\">UAC bypass<\/a><\/li><li>Emulator bypass<\/li><li>Tampering with Microsoft Defender and other antivirus products<\/li><li>In-place compilation<\/li><li>Delivery through text share services<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>RAT Delivery Campaign<\/strong><\/h3>\n\n\n\n<p>The RAT delivery campaign starts from an <a href=\"https:\/\/www.autohotkey.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">AutoHotKey <\/a>(AHK) compiled script. This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command.<\/p>\n\n\n\n<p>In this campaign, the attackers incorporate malicious scripts\/executables alongside a legitimate application to disguise their intentions.<\/p>\n\n\n\n<p class=\"has-background\" style=\"background-color:#f0f0f0\">Researchers <a href=\"https:\/\/blog.morphisec.com\/ahk-rat-loader-leveraged-in-unique-delivery-campaigns\" target=\"_blank\" rel=\"noreferrer noopener\">observed<\/a> various RATs distributed via a simple AHK compiled script. They also identified several attack chains all of which start with an AHK executable that leads to the different VBScripts that eventually load the RAT.<\/p>\n\n\n\n<div class=\"wp-block-image is-style-default\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-pPJToLJgDZ4\/YKR7qm5YzrI\/AAAAAAAANLM\/NwxTg3vDuzoKWAK966Wiq1yA6USPkTG5QCLcBGAsYHQ\/s16000\/Attack%2BChain%2B%25281%2529.png\" alt=\"\"\/><figcaption>Attack Chain<\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"has-background\" style=\"background-color:#e7eaed\">A second version of the malware was found to block connections to popular antivirus solutions by tampering with the victim&#8217;s hosts file. &#8220;This manipulation denies the DNS resolution for those domains by resolving the localhost IP address instead of the real one,&#8221; the researchers explained.<\/p>\n\n\n\n<p>Another loader chain observed that involved delivering the LimeRAT via an obfuscated VBScript, which is then decoded into a PowerShell command that retrieves a C# payload containing the final-stage executable from a Pastebin-like sharing platform service called &#8220;stikked.ch.&#8221;<\/p>\n\n\n\n<p>Finally, a fourth attack chain discovered used an AHK script to execute a legitimate application, before dropping a VBScript that runs an in-memory PowerShell script to fetch the HCrypt malware loader and install AsyncRAT.<\/p>\n\n\n\n<p>Morphisec researchers attributed all the different attack chains to the same threat actor, citing similarities in the AHK script and overlaps in the techniques used to disable Microsoft Defender.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Final Word<\/strong><\/h4>\n\n\n\n<p>Since threat actors study baseline security controls like emulators, antivirus, and UAC, they develop techniques to bypass and evade them. &#8220;The technique changes detailed in this report did not affect the impact of these campaigns. The tactical goals remained the same. <\/p>\n\n\n\n<p>Rather, the technique changes were to bypass passive security controls. A common denominator among these evasive techniques is the abuse of process memory because it&#8217;s typically a static and predictable target for the adversary&#8221;, Researchers said.<\/p>\n\n\n\n<p><strong>Also Read<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-microsoft-build-engine\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hackers Abuse Microsoft Build Engine to Deliver Password-Stealing Malware Filelessly<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/cybersecuritynews.com\/teabot-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">TeaBot \u2013 A New Malware that stealing victim\u2019s Credentials and Intercepting SMS Messages<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that heavily uses the AutoHotKey scripting language, a fork of the AutoIt language that is frequently used for testing purposes. Researchers identified at least four versions of the RAT delivery campaign, each of which includes multiple advancements and adaptations over the past [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6083,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png","fifu_image_alt":"RAT Uses Autohotkey","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[48],"tags":[266,336,479],"class_list":{"0":"post-6080","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-malware","9":"tag-rat","10":"tag-threats"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.7.1 (Yoast SEO v25.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A New Unique RAT Heavily Uses The Autohotkey Scripting Language<\/title>\n<meta name=\"description\" content=\"The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that heavily uses the AutoHotKey scripting language, a fork of the AutoIt language\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A New Unique RAT Heavily Uses The Autohotkey Scripting Language On An Ongoing Malware Campaign\" \/>\n<meta property=\"og:description\" content=\"The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that heavily uses the AutoHotKey scripting language, a fork of the AutoIt language\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/guruba008\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-19T02:53:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-19T09:51:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png\" \/>\n<meta name=\"author\" content=\"Guru Baran\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png\" \/>\n<meta name=\"twitter:creator\" content=\"@guruba008\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guru Baran\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"A New Unique RAT Heavily Uses The Autohotkey Scripting Language","description":"The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that heavily uses the AutoHotKey scripting language, a fork of the AutoIt language","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/","og_locale":"en_US","og_type":"article","og_title":"A New Unique RAT Heavily Uses The Autohotkey Scripting Language On An Ongoing Malware Campaign","og_description":"The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that heavily uses the AutoHotKey scripting language, a fork of the AutoIt language","og_url":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_author":"https:\/\/www.facebook.com\/guruba008","article_published_time":"2021-05-19T02:53:38+00:00","article_modified_time":"2021-05-19T09:51:22+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png","type":"","width":"","height":""}],"author":"Guru Baran","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png","twitter_creator":"@guruba008","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Guru Baran","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/"},"author":{"name":"Guru Baran","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026"},"headline":"A New Unique RAT Heavily Uses The Autohotkey Scripting Language On An Ongoing Malware Campaign","datePublished":"2021-05-19T02:53:38+00:00","dateModified":"2021-05-19T09:51:22+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/"},"wordCount":453,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png?w=728&resize=728,380&ssl=1","keywords":["malware","RAT","threats"],"articleSection":["Threats"],"inLanguage":"en-US","copyrightYear":"2021","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/","url":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/","name":"A New Unique RAT Heavily Uses The Autohotkey Scripting Language","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/#primaryimage"},"thumbnailUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png?w=728&resize=728,380&ssl=1","datePublished":"2021-05-19T02:53:38+00:00","dateModified":"2021-05-19T09:51:22+00:00","description":"The Morphisec Labs team has tracked a unique and ongoing RAT delivery campaign that heavily uses the AutoHotKey scripting language, a fork of the AutoIt language","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/#primaryimage","url":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png?w=728&resize=728,380&ssl=1","contentUrl":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png?w=728&resize=728,380&ssl=1","width":"728","height":"380","caption":"RAT Uses Autohotkey"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/rat-uses-autohotkey\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"A New Unique RAT Heavily Uses The Autohotkey Scripting Language On An Ongoing Malware Campaign"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World&#039;s #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/f7f138f8fd41a61bb60151da47730026","name":"Guru Baran","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72f86da0bb72b6886d25f0ef0c881daba3a98356bc44f916f8d3a62c9e856579?s=96&d=mm&r=g","caption":"Guru Baran"},"description":"Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics.","sameAs":["https:\/\/cybersecuritynews.com","https:\/\/www.facebook.com\/guruba008","https:\/\/www.linkedin.com\/in\/gurubaran-cyberwrites\/","https:\/\/x.com\/guruba008"],"url":"https:\/\/cybersecuritynews.com\/author\/guru\/"}]}},"jetpack_featured_media_url":"https:\/\/i1.wp.com\/1.bp.blogspot.com\/-sATdtQYGCNE\/YKR7q65cJ9I\/AAAAAAAANLQ\/jwS5tibbvsMlHhp0jz-6ezILDonBExDnACLcBGAsYHQ\/s16000\/RAT%2Bvia%2BAHK.png?w=728&resize=728,380&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6080","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=6080"}],"version-history":[{"count":6,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6080\/revisions"}],"predecessor-version":[{"id":6092,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/6080\/revisions\/6092"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/6083"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=6080"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=6080"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=6080"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}