AutoIT Malware Attacking Gmail Users To Steal Login Credentials

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A malicious AutoIT-compiled executable has been discovered that attempts to open Gmail login pages using popular browsers and possesses capabilities to steal clipboard data, capture keystrokes, and manipulate system behavior. 

It can also evade detection by blocking user input and taking control of keyboard and mouse events. Users are advised to exercise caution when running files from untrusted sources or with ambiguous names. 

The analysis using Detect-It-Easy (DIE) reveals that the malware is an AutoIT executable, and the original file name was “File.exe,” which imports multiple obfuscated libraries with no clear data, indicating potential obfuscation techniques. 

DIE Sample detection

The presence of four separate networking libraries suggests that the malware may engage in network-based activities.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Overall, the analysis indicates that the malware is likely designed to execute malicious actions and potentially compromise network systems.

The AutoITExtractor tool allows retrieval of the original script from a compiled AutoIT executable, which reveals the program’s functionality in plain text, while the extracted script exposes the program’s malicious intent. 

Extracted script contents

It contains clear instructions to locate and launch popular web browsers, directing them to the Google sign-in page (accounts.google.com), which suggests that the program targets user accounts on Google and potentially other platforms. 

The binary analysis reveals no explicit malicious addresses, while the script attempts to access Google accounts and contains generic login links for various social media platforms.

While browsers function as expected, a separate function establishes a listening socket under specific conditions. 

Socket option setup

A backdoor or remote access trojan that is capable of compromising user data or network connections is one example of the potentially malicious activity that is suggested by this detection.

The malware, when encountering a failed socket setup, uses the WSAGetLastError Windows API to retrieve the specific error code, which is observed during dynamic analysis. 

Socket bind operation (failed)

When the infected browsers are executed, they spawn multiple processes using a command-line structure, which likely involves parameters related to network communication or specific functionalities suggesting that the malware is attempting to establish connections or perform actions over the network.

The initial process in the malware creates a concealed, isolated page within Firefox and subsequently, it tries to establish a network connection. 

If successful, it proceeds to implement keylogging, screen capturing, and further file enumeration. However, during testing, this behavior was not observed, indicating that a command and control server established no connection.

SonicWall has released a new signature, MalAgent.AutoITBot, to protect its customers from a specific malware threat.

The malware is identified by the file hash 6a4d5fa1f240b1ea51164de317aa376bbc1bbddeb57df23238413c5c21ca9db0, which will detect and block the malware, preventing it from causing harm to customers.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial