Targeted Phishing Attack uses AutoIT

Thursday, August 27, 2015 @ 04:08 PM gHale

A targeted phishing attack based on a popular sysadmin automation tool, AutoIT, a scripting admin environment for Windows, researchers said.

Attackers used AutoIT to install a Remote Access Trojan (RAT) on the victims machine, “and maintain persistence on the host in a manner that’s similar to normal administration activity,” said researchers from Cisco’s Talos Group.

Chinese VPN Used for APT: Report
Hacker Tool Hides in Plain Sight
Row Hammer Exploitable via JavaScript
Security Appliance Holes Fixed

AutoIT then provides a vector by which the attacker can manage a sysadmin’s machine, and it’s less likely to generate the kind of activity antivirus software might detect.

“The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention” researchers said in a blog post.

The bait is a Microsoft Word document that uses a logo to impersonate a business – the Corlido Group, in the example given – with a macro that downloads and executes the attack binary.

One of the payloads Talos spotted in the attack was the form of an AutoIT script – unusual in itself, since the novel approach left the attackers confident they didn’t have to obfuscate what was happening in an encrypted binary. The script “contained the actual functionality that performed anti-analysis checks, payload decryption, malware installation, and persistence.”

Many of the payloads Talos found did not end up caught by virus scanners. Researchers said users should step up their email phishing protection and blacklists of malicious Websites.