The cybercriminals used malware written in the AutoHotkey scripting language to automate tasks on Windows systems in their attacks. Using this malware, cybercriminals steal user credentials.
The main victims of AutoHotkey malware were clients of banks in Canada and the United States. Moreover, the criminals chose large and well-known credit organizations: Alterna Bank, Capital One, Manulife, Scotiabank, HSBC, Royal Bank of Canada.
The purpose of AutoHotkey (AHK), as the name suggests, is to facilitate and automate the use of hotkeys in Windows. Also, the open source scripting language allows you to create macros.
The malicious program on AutoHotkey spreads through an Excel file, which copies it into the system and runs the "adb.ahk" script for execution. Also, the loader ensures the strengthening of the malware in the victim's system.
If required, the downloader will download additional AHK scripts from command and control servers (C&C) located in the USA, the Netherlands and Sweden. By the way, there is one feature that distinguishes this malware - it does not receive commands from C&C directly, but downloads and runs AHK scripts for individual tasks.
“Using this approach, attackers can load a special script to perform a particular task. It also protects the main components of the malicious scheme from sandboxing or analysis, ” wrote the researchers at Trend Micro who analyzed the malware .
The malware is known to steal credentials from browsers Google Chrome, Opera, Microsoft Edge, and also sends SQL queries to databases of Internet browsers.
__________________