AutoHotkey-Based Password Stealer Targeting US, Canadian Banking Users

  • Menace actors have been identified distributing a new credential stealer prepared in AutoHotkey (AHK) scripting language as element of an ongoing marketing campaign that began early 2020.

    Customers of economic establishments in the US and Canada are among the the primary targets for credential exfiltration, with a precise target on banking companies such as Scotiabank, Royal Financial institution of Canada, HSBC, Alterna Bank, Cash 1, Manulife, and EQ Bank. Also included in the checklist is an Indian banking firm ICICI Lender.

    AutoHotkey is an open up-supply custom made scripting language for Microsoft Windows aimed at providing straightforward hotkeys for macro-creation and program automation that allows end users to automate repetitive duties in any Windows software.

    The multi-stage an infection chain commences with a malware-laced Excel file that is embedded with a Visible Fundamental for Applications (VBA) AutoOpen macro, which is subsequently made use of to drop and execute the downloader client script (“adb.ahk”) by means of a genuine moveable AHK script compiler executable (“adb.exe”).

    The downloader client script is also liable for acquiring persistence, profiling victims, and downloading and jogging supplemental AHK scripts from command-and-control (C&C) servers located in the US, the Netherlands, and Sweden.

    What helps make this malware different is that as a substitute of acquiring instructions specifically from the C&C server, it downloads and executes AHK scripts to accomplish distinctive tasks.

    “By performing this, the attacker can make your mind up to upload a distinct script to achieve custom-made responsibilities for each person or team of people,” Trend Micro researchers claimed in an analysis. “This also helps prevent the primary parts from becoming disclosed publicly, exclusively to other researchers or to sandboxes.”

    Main amid them is a credential stealer that targets various browsers these kinds of as Google Chrome, Opera, Microsoft Edge, and much more. The moment installed, the stealer also attempts to down load an SQLite module (“sqlite3.dll”) on the infected device, making use of it to execute SQL queries against the SQLite databases inside of browsers’ app folders.

    In the closing phase, the stealer collects and decrypts credentials from browsers and exfiltrates the information and facts to the C&C server in plaintext by using an HTTP Write-up ask for.

    Noting that the malware components are “very well arranged at the code level,” the scientists advise the inclusion of utilization instructions (penned in Russian) could suggest a “hack-for-retain the services of” group that is powering the attack chain’s development and is presenting it to other people as a services.

    “By utilizing a scripting language that lacks a constructed-in compiler within a victim’s functioning program, loading malicious factors to attain many duties individually, and shifting the C&C server often, the attacker has been capable to cover their intention from sandboxes,” the researchers concluded.

    Observed this short article intriguing? Follow THN on Facebook, Twitter  and LinkedIn to browse far more exceptional information we submit.