AutoHotkey-Based Credential Stealer Targets US, Canadian Bank Customers

Trend Micro group has actually identified a malwares command-and-control (C&C) servers that has actually been targeting the banks in the US and Canada and figured out that these originated from the US, the Netherlands, and Sweden. It is believed that they have actually been using the scripting language AutoHotkey (AHK).

What is AutoHotkey (AHK)?

Threat stars have actually used this scripting language that has no built-in compiler within a victims operating system, and which cant be performed without its compiler or interpreter.

AHK is an open-source scripting language for Windows that intends to provide easy keyboard shortcuts or hotkeys, quickly micro-creation, and software application automation. AHK likewise allows users to develop a “compiled”. EXE with their code in it.

How does the malware work?

The downloader client is accountable for attaining perseverance, profiling victims, and downloading and performing AHK script in a victim system. Rather of receiving commands from the C&C server, the malware downloads and executes the AHK script for different jobs.

The adb.exe is a genuine portable AHK script compiler, and its job is to put together and perform the AHK script at an offered course.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity, and hacking news updates.

This ID acts as the demand course to its command-and-control (C&C) server to retrieve and carry out the AHK script on an infected system.

There are 5 C&C servers and 2 commands discovered here: deletecookies and passwords..

Through the downloads a thief is written in AHK which is accountable for harvesting credentials from numerous web browsers and exfiltrating them to the assailant, which majorly targets Bank site addresses.

The two vital roles in the infection are.

The downloader client likewise produces an autorun link for adb.exe in the startup folder. This portable executable executes an AHK script with the very same name in the exact same directory site which is called as adb.ahk.

The main function of this malware is to take qualifications from various internet browsers such as Microsoft Edge, Google Chrome, Opera, Firefox, and Internet Explorer (IE).

AHK script is a downloader client that is responsible for achieving determination, profiling victims, and downloading and carrying out the AHK script on a victim system.

For command execution, the malware accepts numerous AHK scripts for different tasks per victim and executes these utilizing the exact same C&C URL.

Then this script calls each user by producing a distinct ID for each victim based on the volume identification number of the C drive. The malware then goes through a limitless loop and starts to send an HTTP GET request every 5 seconds with the generated ID.

The downloaded script is a stealer that targets numerous browsers such as Google Chrome, Opera, Edge, and more. The stealer gathers and decrypts credentials from web browsers and exfiltrates the details to the assailants server by means of an HTTP POST demand.

To exact the working, this malware infection consists of several stages that start with a malicious Excel file. If the user allows the macros to open the Excel file, VBA AutoOpen macro will then perform the downloader and drop customer script by means of a legitimate portable AHK script compiler.

Effects of malware attack.