Living-off-the-land attacks aren’t new. They’re tactics in which attackers misuse tools native to an infected device. They do this in an effort to not install any foreign files or tools as a means. That way, most security tech won’t notice something odd going on. We’ve taken a look at one of these, misuse of AutoHotkey, and how to prevent it.

Several attackers involving living-off-the-land methods have made headlines in recent years. For example, a threat actor known as Gallmaker used the Microsoft Office Dynamic Data Exchange protocol back in 2018 to spy on its victims. A year later, attackers misused the Windows Management Instrumentation Command tool to distribute Astaroth.

What Is AutoHotkey?

What is new is attackers’ decision to misuse AutoHotkey. This is a Microsoft product, an open-source scripting language designed for machines running Microsoft Windows. AutoHotkey scripts can automate repetitive tasks in a Windows app by creating macros, shortcuts or hotkeys.

How Are Malware Actors Using AutoHotkey Scripts?

One of the first publicly reported attacks involving AutoHotkey was a credential stealer written in AutoHotkey found in March 2018. It disguised itself as Kaspersky Antivirus and spread via infected USB devices. The threat, dubbed Fauxpersky, dropped four files into the affected environment. Together, those files launched a keylogger. This sent the stolen user input to the attackers and then distributed the threat to other removable media.

Fast forward to December 2020, when Trend Micro discovered a malicious Excel file concealing an AutoHotkey script compiler executable, a malicious AutoHotkey script file and a VBA AutoOpen macro. The operation used the script file to profile victims and perform different tasks. Those included harvesting credentials from a victim’s browser and sending them to the attackers.

A few months later, Cofense came across two phishing emails targeting Spanish users. One of the emails instructed the recipient to download a file protected by a password. Meanwhile, the other prompted recipients with the lure of pending legal documents. These payloads used either the Microsoft Service Identity service or a malicious Finger command to create a second .zip file. This archive contained three items: a real AutoHotkey compiler executable, a malicious AutoHotkey script and the Mekotio banking Trojan as a .dll. Once loaded, Mekotio attempted to load fake webpages for targeted banks. It also watched for bitcoin addresses that were copied to the clipboard.

Which brings us to a recent attack: in mid-May 2021, a remote access Trojan delivery campaign began with an AutoHotkey-compiled script. This script loaded an executable that, when it ran, branched into one of four versions. These involved different VBScripts and malware payloads including VjW0rm, Houdini and HCrypt.

How to Defend Against These New Attacks

The campaigns above highlight the need for employers to defend themselves against attacks via AutoHotkey scripts. One of the ways they can do that is by restricting phishing emails and other attacks that could deliver malicious AutoHotkey compiler executables. They can do this by investing in a security awareness training program that uses phishing tests to make employees familiar with email-based attacks. You can balance these human controls with technical measures, as well. Think email banners that signal when a message has come from outside of the group.

Beyond awareness training, you can also take steps to defend against fileless attacks. This involves carefully reviewing the native apps and tools that your employees need for their normal work. With that knowledge, security personnel can then disable whichever are not needed.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…