AutoIT makes malware “outrageously easy”May 7, 2013 – 6:50 PM
Security firm Trend Micro has seen an uptick in AutoIT-based malware thanks to the fact that it’s an easy-to-learn language that allows for quick development. It enables everything from simple scripts that change text files to scripts that perform mass downloads with complex GUIs. One commonly seen nefarious AutoIT tool code being uploaded to Pastebin is a keylogger.
“Grabbing this code, anyone with bad intentions can quickly compile and run it in a matter of seconds,” said threat researcher Kyle Wilhoit. “Upon compiling and executing the script, it creates two files – one that displays the correlated keystrokes in a local HTML page, and a second file that is a zip file of the first file – likely for exfiltration.”
In addition to keyloggers, Remote Access Trojan (RAT)-builders and server administrators based on AutoIT are becoming more prevalent.
“One RAT-builder identified was particularly interesting, as it showed a relatively professional level of development,” Wilhoit said. “Upon connecting to this RAT builder/administrator, the nefarious actor can get a remote shell and perform a litany of other system tasks on the victim. Further analysis of this RAT builder traces the developer back to several underground forums.”
Trend Micro also found a tremendous increase recently in the amount of malware utilizing AutoIT as a scripting language. One piece of malware that was found in the wild is a variant of the popular DarkComet RAT, using AutoIT. This variant runs a backdoor on the victim machine and communicates outbound to a malicious host. It also modifies the local software firewall policies to disable them, in addition to installing itself at startup for persistency.