RAT Dropped By Two Layers of AutoIT Code

A malware attack involving multiple layers of AutoIT code has been discovered. The initial file, disguised as a project file, contains AutoIT script that generates and executes a PowerShell script. This script downloads an AutoIT interpreter and another layer of AutoIT code. Persistence is achieved through a startup shortcut. The second layer of AutoIT code is heavily obfuscated and ultimately spawns a process injected with the final malware, likely AsyncRAT or PureHVNC. The attack utilizes various techniques including file downloads, script execution, and process injection to deliver and maintain the malicious payload.

Pulse ID: 682afb96260a8200f94a1698
Pulse Link: https://otx.alienvault.com/pulse/682afb96260a8200f94a1698
Pulse Author: AlienVault
Created: 2025-05-19 09:36:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AsyncRAT #Autoit #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #ScriptExecution #VNC #bot #hVNC #AlienVault

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

In January 2025, researchers identified attacks distributing DarkCloud Stealer, an information stealer that has been active since 2022. The latest attack chain incorporates AutoIt for evasion and uses file-sharing servers to host the malware. The multi-stage payload employs obfuscated AutoIt scripting, making detection challenging. DarkCloud Stealer targets various sectors, with a focus on government organizations, and is distributed through email phishing campaigns. It steals sensitive data including browser information, credentials, and credit card details. The malware employs anti-analysis techniques and achieves persistence through registry modifications. This evolving threat highlights the importance of advanced detection and prevention methods.

Pulse ID: 6824a0ff4c5eb93683386789
Pulse Link: https://otx.alienvault.com/pulse/6824a0ff4c5eb93683386789
Pulse Author: AlienVault
Created: 2025-05-14 13:56:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #Browser #Cloud #CreditCard #CyberSecurity #Email #FileSharing #Government #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #RAT #bot #AlienVault

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt

Unit 42 researchers have identified a series of attacks distributing DarkCloud Stealer, an information-stealing malware that has been active since 2022. The latest attack chain incorporates AutoIt to evade detection and uses a file-sharing server to host the malware. The infection process begins with a phishing email containing a RAR archive or a PDF that downloads the archive. The archive contains an AutoIt-compiled executable that decrypts and executes the final DarkCloud Stealer payload. The malware steals sensitive data including browser passwords, credit card information, and email client credentials. It employs anti-analysis techniques and achieves persistence through registry modifications. The campaign has targeted various sectors, with a focus on government organizations, particularly in Poland.

Pulse ID: 6824cbccc06b226e68c5b4b5
Pulse Link: https://otx.alienvault.com/pulse/6824cbccc06b226e68c5b4b5
Pulse Author: AlienVault
Created: 2025-05-14 16:58:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Autoit #Browser #Cloud #CreditCard #CyberSecurity #Email #FileSharing #Government #InfoSec #Malware #OTX #OpenThreatExchange #PDF #Password #Passwords #Phishing #Poland #RAT #Unit42 #Word #bot #AlienVault

"경찰청과 국가인권위를 사칭한 Konni APT 캠페인 분석" published by Genians. #AutoIt, #Konni, #LNK, #DPRK, #CTI https://www.genians.co.kr/blog/threat_intelligence/konni_disguise

"APT Group - Konni Launches New Attacks on South Korea" published by ThreatBook. #Konni, #AutoIt, #LNK, #DPRK, #CTI https://threatbook.io/blog/APT-Group---Konni-Launches-New-Attacks-on-South-Korea

I just updated AquaShell to a new stage.

We are very close to a full functional release!

What is AquaShell? It's a scripting shell inspired by AutoIt and AutoHotKey that you can use to automate tedious tasks as well as create complex scripted applications.

I even created a full working Twitch chat bot and HotS chat hotkey manager with the language.

Check it out: https://github.com/danielbrendel/dnyAquaShell

#scripting #shell #autoit #autohotkey #foss #opensource

"Threat Tracking: Analysis of puNK-003’s Lilith RAT ported to AutoIt Script" published by S2W. #LINKON, #AutoIt, #puNK-003, #CURKON, #LNK, #LilithRAT, #DPRK, #CTI https://medium.com/s2wblog/threat-tracking-analysis-of-punk-003s-lilith-rat-ported-to-autoit-script-30dd59e68213

Just some toying around with my scripting shell.

A small hotkey manager to post fancy chat messages into the ingame chat.

Sourcecode: https://www.aquashell-scripting.com/examples#heroes-of-the-storm-chat-hotkeys

#scripting #shell #automation #scriptingshell #autoit #autohotkey #hots #heroesofthestorm #blizzard #moba

"AutoIt 활용 방어 회피 전술의 코니 APT 캠페인 분석" published by Genians. #AutoIt, #LNK, #Konni, #CTI, #OSINT, #LAZARUS https://www.genians.co.kr/blog/threat_intelligence/autoit

Meet AquaShell: An automation and scripting shell for Windows inspired by the #nostalgic #autoit

https://www.aquashell-scripting.com/
https://github.com/danielbrendel/dnyAquaShell

AquaShell can be used to automate tedious tasks as well as create complex apps.

Clearing a folder?
Performing cURL requests?
Update various dependencies?
Create a Twitch chatbot?

You can do all that with AquaShell - and even more!

#cpp #cplusplus #scripting #interpreter #opensource #foss #shell

Und jetzt die Preisfrage:
Wieso um alles in der Welt habe ich für den ganzen Mist "AutoIT" verwendet, welches ich für ein super tool halte aber für diesen Task eigendlich das falsche Werkzeug?

Aus dem wichtigsten Grund der Toolauswahl: Ich kann damit umgehen.

9/9

#programmieren #AutoIT #VM #storytime

"Konni组织针对虚拟货币行业投递AutoIt恶意软件" published by Qianxin. #AutoIt, #LNK, #Konni, #CTI, #OSINT, #LAZARUS https://zhuanlan.zhihu.com/p/689051421

"DarkGate Malware Unleashed: A New Threat in the Cybersecurity Arena 🚨"

The Splunk Threat Research Team has recently conducted an in-depth analysis of DarkGate malware, uncovering its utilization of the AutoIt scripting language for malicious purposes. This malware is notorious for its sophisticated evasion techniques and persistence, posing a significant threat. DarkGate employs multi-stage payloads and leverages obfuscated AutoIt scripts, making it difficult to detect through traditional methods. It is capable of exfiltrating sensitive data and establishing command-and-control communications, underscoring the need for vigilant detection strategies.

The key tactics and techniques of DarkGate include keylogging, remote connections, registry persistence, browser information theft, and C2 communication. One of its attack vectors involves the use of malicious PDF files that trigger the download of a .MSI file containing the DarkGate payload, demonstrating the complex strategies employed by adversaries.

For threat emulation and testing, the team recommends employing an Atomic Test focused on AutoIt3 execution (as per the MITRE ATT&CK technique T1059). Security teams are advised to concentrate on endpoint telemetry sources such as Process Execution & Command Line Logging, Windows Security Event Logs, and PowerShell Script Block Logging for effective detection.

Special commendations to authors Teoderick Contreras and Michael Haag, and the entire Splunk Threat Research Team, for their comprehensive analysis.

Tags: #DarkGate #AutoIt #MalwareAnalysis #CyberSecurity #ThreatIntelligence #MITREATTACK #InfoSecCommunity #SplunkResearch

Blog Splunk Threat Research Team

"Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)" published by Ahnlab. #AutoIt, #RftRAT, #Kimsuky, #Amadey, #CTI, #OSINT, #LAZARUS https://asec.ahnlab.com/en/59590/

"AutoIt을 사용해 악성코드를 제작하는 Kimsuky 그룹 (RftRAT, Amadey)" published by Ahnlab. #Kimsuky, #RftRAT, #AutoIt, #Amadey, #CTI, #OSINT, #LAZARUS https://asec.ahnlab.com/ko/59460/

💡 #TIL there's another effort going on to bring inglorious

#AutoHotkey to 🐧 GNU/‬#Linux!
(#X11, that is.)

Meet #AHK_X11 🥳

🌐 https://github.com/phil294/AHK_X11
📖 https://phil294.github.io/AHK_X11

☝️ Caveat: It only supports legacy #AHK 1.1 syntax and does not aim for 100% feature parity/compatibility, but should enable you to use most of your #hotkeys and #hotstrings #crossplattform! (Sync on your own).

#scripting #automation #DesktopAutomation #KeyboardWarriors #xdotool #gtk #AutoIt #AutoKey #AlternativeTo

@nixCraft I was 14 and I was trying to make a program to backup my Minecraft world saves 😅

Before that I had unsuccessfully attempted to learn #python, it never clicked to me. Everyone said that the syntax was easy but it wasn't easy for me.

What did click with me was Windows Shell Script, a.k.a Batch!

I felt very powerful when I started writing my little batch scripts. Soon after I discovered an obscure language called #AutoIt which I loved! I still use it to this day, professionally too.

@craigmaloney

Use #Autohotkey / #Autoit ans make em yourself ...

Well, here goes: #introduction

It started with Apple IIs and Oregon Trail in the late 80s, and in middle school they had a lab full of them and we drew stuff with LOGO and saved our work on the old 5 inch floppies. Was addicted to Hover when it came out. Finally we had a family computer and got dialup, and I was home alone when I experienced my first malware infection, and not wanting to get in trouble, I learned really fast what the command line and the registry were, and I had it all cleaned up with no trace by the time anyone else got home. I'd spend hours tinkering with this or that, or fixing things that went wrong.

Discovered AI/chatbots and built a couple using the Personality Forge, and for a while they were the most advanced chatbots on the site. I'd work on their programming with a Palm IIe and a folding keyboard, while away from my desk, and then I'd 'hotsync' my notes and upload changes via dialup, those were the days! "Get off the computer I need to make a phone call" lol

My interests were anything tech. It went from being an interest to being a professional endeavor when I started doing flash dev and website work for a travel directory site in PV, Mexico, while I was living there, and when I returned to the states I worked for a small ISP doing #WIMAX installs using Motorola Canopy gear, along with whatever malware removal, hardware fixes, repairs, reinstalls, whatever, all manner of PC stuff.

Moved to TX, worked for another ISP down there doing the same thing, involved using slightly older tech gear, and this was around the time malware infections were starting to really plague even smaller businesses, and I started to focus on #infosec and #security, and then they bought a webhosting company and I switched back to website work, updating sites that had been built using... html tables and sketchy code that was often missing tags. Wrote repair articles for #Technibble for a while, then started out on my own, specializing in anything tech, from #networking #troubleshooting #ComputerRepair #programming small stuff using batch scripts, #AutoIT, (am I supposed to tag this stuff? I'm new to this here) and started up my own #webhosting company where I could pick and choose what platforms to use, free reign to give customers the best bang for their buck, and #WordPress was simple enough to get them into, make something that fit the need, and then hand the reins over to them for most of the content changes in the future unless something went terribly wrong.

Worked in retail electronics and got some experience with mobile tech, helped customers with analog phones transfer their stuff to new phones, activation, etc, meanwhile discovering Android, which led to #root discovery and fascination with #CustomRom stuff, which led to #AppDev for a customer using Android and iOS, but I only dabble in that sector.

Returned to WA and helped with a non-tech family business, but the lack of a #CRM that did what I wanted led me to build custom functionality onto an existing CRM using the ol' #php, and then built a custom #IoT system using #micropython for a customer, #ESP32 (love these things) etc, and then the pandemic happened and I went straight into #python and wanted to use #django but the workflow wasn't to my liking, so I took a step back and followed a friend's advice to get more into #javascript which I'm absolutely loving, with a focus on #NodeJS.

My main line of work at the moment is something I'd probably have to add a disclaimer for, so instead I'll just say that it's really fun and keeps me active, and involves tech to a degree, possibly primarily because I prefer to leverage tech solutions wherever possible to save time, money, and 'decision fatigue' to spend that instead on refreshing old skills and learning new ones.

I type really fast, which unfortunately leads to me writing entire novels inside emails (heh) and I also forget a lot of the stuff I've done because I switch focus depending on what solutions are needed, so for a TL;DR:

I'm a nerd who loves anything even lightly tech or security related, sort of a jack of all trades #technologist: If someone has a problem or a tech need, I either find an affordable/free solution or build it. If I need to learn it to build it, no worries, just adds a little time to the project.

I love this #Mastodon thing and look forward to all the awesome stuff I've been seeing here, wishing I had more to share in return. Thank you @jerry!

OK, apparently ShellExecuteWait in #autoIT at least works in interactive mode.