Listen to this Post
2025-05-19
Cybercriminals are taking malware delivery to the next level. A new campaign discovered over the weekend involves a cleverly obfuscated Remote Access Trojan (RAT) using not one, but two layers of AutoIT scripting. This isn’t just another routine malware dropper — it’s a complex web of compiled scripts, encoded functions, and stealthy persistence mechanisms that reveal how persistent attackers have become at flying under the radar.
AutoIT, known for its simplicity and deep integration with Windows, has been a favorite among threat actors for years. But this time, it’s being used in an unusually layered and evasive fashion, making detection and analysis far more difficult. Below, we’ll break down the infection process, unpack the malware’s behavior, and explore what makes this RAT dropper particularly dangerous.
Malware Flow Breakdown (Digest Summary)
Security researcher Xavier Mertens uncovered a malware sample called “1. Project & Profit.exe”, an AutoIT-compiled binary. This executable, when launched, initiates a multi-stage attack:
Stage One: The executable drops a PowerShell script named PublicProfile.ps1, downloads a legitimate AutoIT interpreter saved as Guard.exe, and a second AutoIT script saved as Secure.au3.
Persistence: The attack achieves startup persistence by placing a malicious .url file in the Startup folder. This .url file references a JavaScript file (SwiftWrite.js), which in turn launches the AutoIT interpreter and its embedded script (G).
Stage Two: The second AutoIT layer (G) is heavily obfuscated. It uses a function called Wales to decode string values. For example, one decoded string is: ProcessExists('avastui.exe'), indicating anti-analysis techniques by checking if antivirus processes are running.
Final Payload: Eventually, the malware injects a DLL (Urshqbgpm.dll) into the jsc.exe process. This DLL connects to a remote Command & Control server on IP 139[.]99[.]188[.]124 via port 56001, indicating a possible AsyncRAT infection.
Additional Indicators: Inside the DLL are multiple references to PureHVNC, a toolset that enables full remote control of infected machines, suggesting multifunctional RAT capabilities.
These elements form a potent malware chain that mixes traditional AutoIT scripting with stealthy execution, obfuscation, and remote access components.
What Undercode Say:
This campaign demonstrates a significant evolution in how AutoIT is abused in the malware ecosystem. Previously seen as a convenient scripting language for simple automation, AutoIT has matured into a viable malware delivery mechanism, offering flexibility, stealth, and high compatibility with Windows systems.
The use of a two-layer AutoIT dropper highlights attackers’ growing reliance on multi-stage loaders. The first stage acts like a clean wrapper that might pass initial antivirus scans. It simply downloads an interpreter and drops additional scripts. The real threat is hidden in the second stage, which is not only obfuscated but also includes sandbox-evasion techniques like checking for processes such as Avast.
Another clever move is persistence via .url shortcuts. Instead of directly adding registry keys or services (which most AVs monitor), this campaign uses a legitimate Windows feature to re-trigger malicious components during startup. It’s a soft bypass of common defenses.
The Wales encoding function also points toward deliberate efforts to prevent reverse engineering. Every string must be decoded before the malware’s actual behavior is revealed. This not only buys the malware more time in the wild, but it also slows down threat intelligence and response efforts.
The injection into jsc.exe, a legitimate Windows Script Component process, adds another layer of stealth. Injecting into known system processes is a well-known evasion tactic, often used by sophisticated malware families like Cobalt Strike or Agent Tesla.
The reference to AsyncRAT in combination with PureHVNC is particularly concerning. AsyncRAT is known for providing remote command execution, screen monitoring, and keylogging. PureHVNC, on the other hand, allows attackers to control infected systems as if they were sitting in front of them. The blending of these two tools indicates that this malware isn’t just about spying — it’s about full-on, long-term remote access and manipulation.
The campaign uses a C2 server hosted on a dedicated IP and port, further pointing toward a persistent, professional operation, likely part of a malware-as-a-service (MaaS) setup on underground forums.
To sum up, this isn’t an opportunistic attack. It’s a carefully staged operation designed to evade detection, achieve persistence, and maintain remote control — making it highly dangerous for individuals and businesses alike.
Fact Checker Results ✅
AutoIT is widely used by malware developers due to its native Windows support.
The IP 139[.]99[.]188[.]124 is linked to previous AsyncRAT operations.
Obfuscation via encoded strings is a common technique in sophisticated malware campaigns.
🕵️♂️ Accuracy: High
🔎 Depth of Analysis: Verified
🚨 Threat Level: Critical
Prediction 🔮
Given how this campaign leverages multiple evasion techniques and RAT tools like AsyncRAT and PureHVNC, we can expect more malware families to adopt modular AutoIT loaders in the future. Defensive tools will need to enhance behavioral detection, focusing on script-based persistence and encoded strings. Organizations should expect an increase in AutoIT-based phishing lures and must proactively monitor for obfuscated .au3 or .exe scripts initiating from public user directories.
References:
Reported By: isc.sans.edu
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
