Hacker attacks using an advanced new credential-stealing threat that uses AutoHotkey (AHK) scripting was recently detected by the researchers at Trend Micro. The newly-discovered attacks seem to be a part of a hacker campaign that has started sometime during the beginning of the current year.
According to the researchers, the new series of attacks primarily target major US and Canada banks. Some of the targeted banks are Capital One, HSBC, the Royal Bank of Canada, Alterna Bank, Scotiabank, EQ Bank, and others. ICICI Bank, an Indian banking company, also seems to be among the victims of the hacker attacks.
AutoHotkey Infection Procedure
As already mentioned, the credential-stealer malware used in the attacks uses the open-source scripting language known as AutoHotkey. This is a scripting language for Microsoft Windows that is used for helping with macro-creation by allowing users to easily assign hotkeys for the automation of repetitive tasks executed by different Windows apps.
The infection is initiated by a Microsoft Excel file that carries the infection in the form of a Visual Basic for Applications (VBA) macro, which drops and executes a downloader client named “adb.ahk” through the legitimate “adb.exe” AHK executable.
The adb.ahk script also serves to achieve persistence inside the targeted system, to profile the victims of the attack, and to automatically download and launch other harmful AHK scripts. Those additional scripts come from command-and-control servers that seem to be located in Sweden, the Netherlands, and the USA.
A major difference between this and other similar forms of malware is it downloads the additional AHK scripts that are used to accomplish the specific tasks of the malware instead of getting its commands directly from the C&C servers.
According to Trend Micro’s researchers, this helps the malware to execute tasks specifically customized for each occasion while also keeping its main components concealed.
Inside the targeted system, the target of this malware are popular and commonly-used browsers such as Microsoft Edge, Google Chrome, Opera, and others. The credential stealer seeks to download a file named sqlite3.dll on the attacked computer and use that file to run SQL queries within the SQLite databases located in the app folders of each targeted browser.
Finally, the malware collects the data gained from the SQL queries, decrypts the credentials stored in the browser, and translates the information into plaintext on the C&C server by making an HTTP POST request.
Researchers hypothesize that creators behind this malware are a “hack-for-hire” group that has developed the threat as a paid service for other cybercriminal actors. Proof that this is likely the case is the inclusion of how-to-use instructions provided in the Russian language within the malware’s code.