Connect with us

Hi, what are you looking for?

Cyber Security

A Credential Stealer Written in AutoHotkey Scripting Language

Robot typing on conceptual keyboard

A new credential stealer has been identified that is written in AutoHotkey (AHK) scripting language. In an ongoing attack campaign that started in early 2020, threat actors were found to be distributing this infostealer, focusing on customers of financial organizations located in the U.S. and Canada.

What has happened?

The infostealer specifically focuses on credential exfiltration and has targeted multiple banks, such as Royal Bank of Canada, Scotiabank, HSBC, Alterna Bank, EQ Bank, Capital One, Manulife, and ICICI Bank. 

  • The multi-stage infection chain starts with the use of a malware-laced Excel file laden with a VBA AutoOpen macro. Subsequently, it drops/executes a downloader client script by using a portable AHK script compiler executable.
  • This client script is also used for profiling victims, persistence, and downloading and executing more AHK scripts from command-and-control servers located in Sweden, the Netherlands, and the U.S.
  • In the final stage, the stealer gathers and decrypts system requirements from browsers and sends this information to the C&C server in a simple text by using an HTTP Post request.

Additional insights

  • What is unique about this stealer is that instead of getting or obtaining any instructions from the C&C server, this stealer downloads and executes AHK scripts to fulfill various jobs. It prevents the main parts of malware from getting exposed publicly. 
  • By doing so, an attacker can add a custom script for a different type of job for each and every person or group of customers, allowing them to control the malware.

Recent attacks using infostealers

  • In early-December, a payment card skimmer group was found to be using Raccoon info-stealer to siphon off data.
  • In addition, a web skimmer was discovered in social media buttons, targeting e-commerce and online shoppers.

Conclusion

Using scripting language allows cybercriminals to hide their intention from sandboxes, making the attacks more sophisticated and deadly. Thus, experts suggest organizations provide training to their employees about risks associated with a macro-laced email attachment. In addition, it is recommended to use reliable anti-malware software and stay alert while opening emails from unknown senders.

Source: https://cyware.com/news/a-credential-stealer-written-in-autohotkey-scripting-language-8d53e5e8

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Business News

With a span of 853 meters, the Gordie Howe International bridge linking the US and Canada, will be the longest cable stayed bridge in...

Accidents

EDS NOTE: GRAPHIC CONTENT – This photo shows the scene of a major collision that has closed a section of the Trans-Canada Highway near...

Business News

NEW YORK (AP) — On air quality maps, purple signifies the worst of it. In reality, it’s a thick, hazardous haze that’s disrupting daily life for...

Cyber Security

A new version of the ViperSoftX information-stealing malware has been discovered with a broader range of targets, including targeting the KeePass and 1Password password...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO