Scripting language AutoHotkey-based Password Stealer targets US, Canadian banking users

Hey, guys! How y’all doing? Excited for the new year? I know I am! I’m hoping next year will be a much better year than this year.

Today, we’re going to look at a credential stealer that’s based on the AutoHotkey (AHK) scripting language. It is brought to light that this password stealer has been distributed by threat actors as part of an ongoing campaign that started early this year. Disturbingly, this password-stealer is targeting US, Canadian and Indian banking users. 

Let’s better understand this new credential stealer!

Who are the targets?

This password-stealer primarily targets customers of financial institutions in the US and Canada. Specifically, it focuses on banks such as Scotiabank, Royal Bank of Canada, HSBC, Alterna Bank, Capital One, Manulife, and EQ Bank. Indian banking firm ICICI Bank is also part of this unfortunate list. 

AutoHotkey scripting language

With the objective of providing easy hotkeys for macro-creation and software automation, AutoHotkey is an open-source custom scripting language for Microsoft Windows. The function of these hotkeys is to allow users to automate repetitive tasks in any Window application.  

If you want to learn more about AutoHotkey, head over to their website

Here are the links to the documentation and YouTube AutoHotkey tutorials, for your easy reference, too!

Understanding the infection chain

The multi-stage infection chain starts with a malware-infected Excel file that has a Visual Basic for Applications (VBA) AutoOpen macro embedded in it. This macro is used to drop and execute the downloader client script ("adb.ahk") using a legitimate portable AHK script compiler executable ("adb.exe").

This downloader is responsible for a number of things: 

  • Achieving persistence 
  • Profiling victims 
  • Downloading and running additional AHK scripts from command-and-control (C&C) servers located in the US, the Netherlands, and Sweden

This malware stands out because instead of waiting and receiving commands from the C&C server, it directly downloads and executes AHK scripts to accomplish various tasks to achieve the end goal. 

In an analysis, researchers from Trend Micro say: 

"By doing this, the attacker can decide to upload a specific script to achieve customized tasks for each user or group of users. This also prevents the main components from being revealed publicly, specifically to other researchers or to sandboxes."

One of the most important components of this malware is a credential stealer that specifically hunts browsers such as Google Chrome, Opera, Microsoft Edge, and more. After successful installation, the stealer also sets out to download an SQLite module ("sqlite3.dll") on the infected machine. This is so that it can use this module to perform SQL queries against the SQLite databases within browsers' app folders.

Once the stealer has collected and decrypted credentials from browsers, it exfiltrates the information to the C&C server in plaintext via HTTP POST requests. This is the final step. 


Figure 1: Different functions for password-stealers to perform on different browsers

Researchers observation

Based on how the malware components are "well organized at the code level" and the inclusion of usage instructions (written in Russian), Trend Micro researchers suggest this could be the work of a "hack-for-hire" group that's behind the attack chain's creation and is also offering it to others as a service.

They end their analysis by noting this: 

"By using a scripting language that lacks a built-in compiler within a victim's operating system, loading malicious components to achieve various tasks separately, and changing the C&C server frequently, the attacker has been able to hide their intention from sandboxes."

What do we do about this?

Since we’re discussing the browser-focused credential stealer here, the obvious takeaway from this article is: don’t store your passwords in your browser! 

Even if we’re not discussing a browser-focused credential stealer, it’s a terrible practice to store passwords on browsers any day. So, if you’re guilty of this charge, then time to change!

That’s it for today’s blog, y’all! Feel free to drop comments and share this blog if you found it interesting.

Stay safe and stay tuned. 

Until next time, friends!

Credits: The Hacker News

Add comment