Experts Warn About Ongoing AutoHotkey-Based Malware Attacks

Cybersecurity researchers have uncovered an ongoing malware campaign that heavily relies on AutoHotkey (AHK) scripting language to deliver multiple remote access trojans (RAT) such as Revenge RAT, LimeRAT, AsyncRAT, Houdini, and Vjw0rm on target Windows systems.

At least four different versions of the campaign have been spotted starting February 2021, according to researchers from Morphisec Labs.

“The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script,” the researchers noted. “This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions.”

AutoHotkey is an open-source custom scripting language for Microsoft Windows that’s meant to provide easy hotkeys for macro-creation and software automation, enabling users to automate repetitive tasks in any Windows application.

Regardless of the attack chain, the infection begins with an AHK executable that proceeds to drop and execute different VBScripts that eventually load the RAT on the compromised machine. In one variant of the attack first detected on March 31, the adversary behind the campaign encapsulated the dropped RAT with an AHK executable, in addition to disabling Microsoft Defender by deploying a Batch script and a shortcut (.LNK) file pointing to that script.

A second version of the malware was found to block connections to popular antivirus solutions by tampering with the victim’s hosts file. “This manipulation denies the DNS resolution for those domains by resolving the localhost IP address instead of the real one,” the researchers explained.