6

AHK Rat Loader Used in Ongoing Delivery Campaigns

 3 years ago
source link: https://news.softpedia.com/news/ahk-rat-loader-used-in-multiple-delivery-campaigns-532988.shtml
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Morphisec tracked a unique and ongoing RAT delivery campaign

An ongoing malware campaign that utilizes the AutoHotkey (AHK) scripting language to deliver a variety of RATs, including LimeRAT, AsyncRAT, Houdini, Vjw0rm, and Revenge RAT, has been discovered. Since February, at least 4 separate versions have been identified. 

According to Morphisec, The RAT distribution starts with an AutoHotKey (AHK) script. This is a standalone executable that contains the AHK interpreter, the AHK script, and any files that have been installed using the FileInstall order. In the campaign, the attackers use malicious scripts/executables alongside a legitimate application to conceal their intentions.

The attackers encapsulated the dropped RAT with an AHK executable in the first version of the assault. The attack was spotted February 17 and disabled Microsoft Defender with the Batch script and a shortcut (.LNK) file pointing to that script.

A second version, which appeared on March 31, blocked connections to antivirus solutions by tampering with the victim's host file. By resolving the localhost IP address instead of the actual one, the manipulation prevented DNS resolution for certain domains.

The third loader chain, discovered on April 8, delivered LimeRAT via obfuscated VBScript, that is then decoded into a PowerShell command that retrieves a C# payload.

Threat actors adapt to new security measures 

As threat actors study baseline security measures such as emulators, antivirus, and user authentication, they develop strategies to bypass and evade them.

The improvements in the strategy described in the study had an insignificant effect on the effectiveness of these campaigns. Moreover, the methodology was enhanced to circumvent passive security controls. The misuse of process memory is a common denominator among these evasive tactics since it is usually a static and predictable objective for the adversary.

The baseline controls are still needed to keep automated attacks at bay. However, the manual tradecraft used by creative attackers such as this one requires a modern approach to cybersecurity.


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK