A new financial industry malware, produced in the AutoHotkey language

A new data-stealing malware was discovered by the technology firm Trend Micro. The malware is written in a programming language called AutoHotKey, and by being installed in a browser, it is claimed to have the potential to steal credentials needed for banking. At present, banks’ consumers in North America are struggling.


Campaigns using this malware launched earlier this year, and Scotia Bank, PayPal, Royal Bank of Canada, Capital One and HSBC consumers have so far been affected. In the United States, the Netherlands and Sweden, the C&C servers used in the attack were noticed as Pattern Micro tracked it.

AutoHotkey is a programming language for open source scripting and is mainly used for process automation tasks. In general, attackers placed malware built in this language into malicious Excel files and send them to victims via email. The victim downloads it, opens the file, and it is placed on the victim’s computer by the AutoHotkey Downloader. This downloader consists of several components of ransomware, including a module for securing persistence of attack, a victim system profiling module, and a module for running additional AutoHotkey scripts.

While it includes many components, the ultimate purpose of the downloader is to download and install the malware stealing credentials into the browser. Microsoft Edge, Google Chrome, Opera and Firefox work for the malware, and it has the potential to steal encrypted passwords.

This malware decrypts and transmits the outcome to the C&C website, removing the encrypted keys from the browser. It is said that HTTP POST requests are used in this situation. What is special about this malware is that, by AutoHotkey scripts, it accepts instructions, not through the C&C server.

Trend Micro states that the drawback of using AutoHotkey is that an attacker will determine and post a particular script. In other words, it would be possible for each victim or each party to perform personalized attacks. It also has the effect of keeping key elements from being revealed. The possibility of being analyzed is smaller, and the real campaign has taken quite a while to find.

Malware built with AutoHotkey is unusual. In specific, malware is based on Python or C++. Go has been steadily evolving among offenders lately, but it is not yet mainstream. Trend Micro says, however, “This is not the first time that AutoHotkey has been exploited.” “In April 2019, AutoHotkey generated information-stealing malware was detected.”

Furthermore, security firm Check Point has also found malware based on AutoHotkey that is being spread by infecting the installation file of TeamViewer. Several embassies and diplomatic institutions in Europe were hit by the strike. Especially affected were the diplomatic institutions in Nepal, Guyana, Kenya, Italy, Liberia, Bermuda and Lebanon.

Another security firm, Avast, uncovered a malware called Retadup in August 2019 and disabled the attack, which was also developed as AutoHotkey. In 150 nations, Letadab has compromised around 850,000 Windows computers, and attackers have penetrated these networks and mined cryptocurrencies.