Listen to this Post
2025-05-19
A New Twist in RAT Delivery: How Threat Actors Are Leveraging AutoIT for Stealthier Malware
A new Remote Access Trojan (RAT) campaign has surfaced that cleverly leverages a two-tiered AutoIT script to distribute sophisticated malware. AutoIT, a scripting language primarily known for automating Windows GUI tasks, has long been abused by attackers due to its ease of use and deep integration with the Windows OS. This new threat, discovered by cybersecurity expert Xavier Mertens, exemplifies the growing trend of malware authors embedding payloads within multiple AutoIT layers to evade detection and gain persistence.
🧩 Dissecting the Attack Step-by-Step
The attack begins with an executable file titled “1. Project & Profit.exe” (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). This is not a regular Windows executable but a compiled AutoIT script. Once decompiled, it reveals key hardcoded elements:
Downloader URLs like `hxxps://xcvbsfq32e42313[.]xyz/OLpixJTrO`
File Paths such as `C:UsersPublicGuard.exe` and `PublicProfile.ps1`
The executable generates a PowerShell script (PublicProfile.ps1) and executes it. In the background, it downloads an AutoIT interpreter (saved as Guard.exe) and a secondary AutoIT script. This script is crucial, as it contains the obfuscated logic for the malware’s real operations.
Persistence is cleverly established via a shortcut .url file placed in the Windows Startup folder. This shortcut re-launches the malware on each system boot using a hidden JavaScript command.
The second AutoIT layer, stored as a file called “G”, is heavily obfuscated. It employs a custom string decoder function named Wales, which hides commands like:
“`python
Wales(80]114]111]99]101]115]115]69…) ➝ ProcessExists(‘avastui.exe’)
“`
This snippet demonstrates the malware’s anti-analysis capabilities by detecting security software such as Avast.
The final stage involves launching jsc.exe, a legitimate Microsoft utility, which then gets injected with a DLL file named Urshqbgpm.dll. The DLL attempts to communicate with the C2 server at 139[.]99[.]188[.]124:56001, a known indicator linked to AsyncRAT. However, further static analysis reveals code snippets associated with PureHVNC, a Remote Access Trojan marketed on dark web forums for full desktop hijacking.
🔍 What Undercode Say:
This malware campaign underscores the increasing sophistication in how threat actors use dual-stage AutoIT scripts for evasion, payload delivery, and persistence. The AutoIT language, while legitimate and used in enterprise environments for automation, offers a high level of interaction with Windows OS components, making it ideal for malware development.
What makes this campaign noteworthy is not just the use of AutoIT, but the layered obfuscation strategy. The initial script appears benign, simply generating and executing a PowerShell script. However, this is merely a wrapper for a more malicious sequence that involves downloading further components, setting up persistence, and injecting payloads stealthily.
The use of .url files for persistence is clever. Unlike registry-based methods that are often monitored by security tools, shortcut-based persistence is subtler and often overlooked. The malware even places these files in the legitimate-looking folder path under WordGenius Technologies, mimicking legitimate applications to deceive both users and automated detection systems.
The second AutoIT layer, masked behind encoded strings and custom functions like Wales, hints at how threat actors are investing more effort in avoiding both static and dynamic analysis. By encoding command strings, they slow down reverse engineering and avoid detection by signature-based antivirus engines.
Furthermore, the mention of avastui.exe in decoded strings shows that the malware is designed with anti-analysis features. It checks for the presence of security software before proceeding, reducing the chance of being sandboxed or detected during initial infection.
Finally, the use of jsc.exe, a native Windows binary, for code injection reflects a broader trend known as LOLBins (Living Off the Land Binaries), where malware leverages trusted system tools to execute malicious actions. This reduces the likelihood of detection and helps maintain stealth across systems.
The payload’s attempt to connect to AsyncRAT infrastructure while also containing PureHVNC code suggests either a hybrid threat or that the malware has modular capabilities. It may be designed to deliver different payloads based on C2 instructions or initial system reconnaissance.
In essence, this campaign showcases a multi-faceted approach to malware deployment — combining scripting languages, native tools, and obfuscation tactics for effective compromise, evasion, and persistence.
✅ Fact Checker Results:
The initial binary is a compiled AutoIT script, verified via hash and decompilation. ✔️
The decoded strings point to known analysis evasion and anti-AV functions. ✔️
C2 infrastructure and malware behavior matches known AsyncRAT and PureHVNC activity. 🔍
🔮 Prediction:
As AutoIT continues to be overlooked by many detection engines due to its legitimacy in corporate automation, it will likely remain a favorite among attackers. Expect future variants to embed even deeper obfuscation and perhaps use machine learning models to detect sandbox environments. More sophisticated attacks could eventually chain AutoIT with other script engines like VBScript or PowerShell to further blur detection lines.
Blue teams should invest in behavior-based detection systems that can spot anomalies like .url persistence files and unexpected execution of interpreters like jsc.exe. As script-based malware evolves, so must defensive strategies.
References:
Reported By: isc.sans.edu
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
