AutoHotkey-Based Password Stealer Targeting US, Canadian Banking Users


Danger entertainers have been found conveying another accreditation stealer written in AutoHotkey (AHK) scripting language as a feature of a progressing effort that began mid-2020.

Clients of monetary organizations in the US and Canada are among the essential focuses for accreditation exfiltration, with a particular spotlight on banks, for example, Scotiabank, Royal Bank of Canada, HSBC, Alterna Bank, Capital One, Manulife, and EQ Bank. Likewise remembered for the rundown is an Indian financial firm ICICI Bank.

AutoHotkey is an open-source custom scripting language for Microsoft Windows pointed toward giving simple hotkeys to large scale creation and programming computerization that permits clients to mechanize dreary assignments in any Windows application.

The multi-stage contamination chain initiates with a malware-bound Excel record that is installed with a Visual Basic for Applications (VBA) AutoOpen large scale, which is in this way used to drop and execute the downloader customer content (“adb.ahk”) by means of an authentic convenient AHK content compiler executable (“adb.exe”).

The downloader customer content is likewise answerable for accomplishing determination, profiling casualties, and downloading and running extra AHK contents from order and-control (C&C) workers situated in the US, the Netherlands, and Sweden.

What makes this malware distinctive is that as opposed to getting orders straightforwardly from the C&C worker, it downloads and executes AHK contents to achieve various assignments.

“By doing this, the aggressor can choose to transfer a particular content to accomplish modified errands for every client or gathering of clients,” Trend Micro analysts said in an investigation. “This additionally keeps the fundamental parts from being uncovered openly, explicitly to different specialists or to sandboxes.”

Boss among them is a certification stealer that objectives different programs, for example, Google Chrome, Opera, Microsoft Edge, and then some. When introduced, the stealer likewise endeavors to download a SQLite module (“sqlite3.dll”) on the contaminated machine, utilizing it to perform SQL questions against the SQLite information bases inside programs’ application envelopes.

In the last advance, the stealer gathers and decodes accreditations from programs and exfiltrates the data to the C&C worker in plaintext by means of an HTTP POST solicitation.

Taking note of that the malware segments are “efficient at the code level,” the specialists propose the incorporation of utilization guidelines (written in Russian) could infer a “hack-for-enlist” bunch that is behind the assault chain’s creation and is offering it to others as an administration.

“By utilizing a scripting language that comes up short on an underlying compiler inside a casualty’s working framework, stacking pernicious parts to accomplish different errands independently, and changing the C&C worker regularly, the assailant has had the option to stow away their expectation from sandboxes,” the specialists closed.


Please enter your comment!
Please enter your name here