Listen to this Post
2025-05-19
A Deep Dive Into a Clever Malware Dropper Built With AutoIT Scripting
AutoIT, a scripting language originally designed for automating the Windows GUI, has once again proven itself as a favored weapon in the malware ecosystem. Known for its simplicity and deep OS integration, AutoIT continues to play a pivotal role in malware delivery. This recent campaign unveils a malicious operation where a Remote Access Trojan (RAT) is dropped through a double-layered AutoIT script. Leveraging deceptive techniques and persistent execution mechanisms, the attackers aim for stealth, persistence, and control โ all while evading detection.
Letโs break down this complex malware dropper that hides its payload through layers of obfuscation and scripting trickery.
๐งช Multi-Layered Infection Strategy Using AutoIT (30-Line Digest)
The attack begins with a deceptive executable named “1. Project & Profit.exe”. This file is a compiled AutoIT script and contains embedded strings referencing remote URLs and file paths. Once executed, it downloads two critical components into the Windows Public directory:
1. An AutoIT interpreter named `Guard.exe`.
2. A second AutoIT script saved as `Secure.au3`.
The first script also generates and runs a PowerShell file (PublicProfile.ps1) to support its execution. To establish persistence, the malware drops a .url file named SwiftWrite.url into the Windows Startup folder. This shortcut silently calls a JavaScript payload that re-triggers the second AutoIT script using an ActiveXObject.
The real stealth lies in the second layer โ the G script. It is obfuscated with a custom function called Wales, which decodes strings encoded as numerical ASCII values. For instance, the encoded sequence can reveal checks like ProcessExists('avastui.exe'), used to detect antivirus tools.
Ultimately, the payload culminates with a call to jsc.exe, which is then injected with a malicious DLL file (Urshqbgpm.dll). Network activity from this DLL attempts to connect to a C2 server at 139[.]99[.]188[.]124:56001, a known address linked with AsyncRAT. However, forensic hints in the DLL suggest a possible relationship with PureHVNC, a Remote Desktop hijacking tool sold on the dark web.
The combination of scripting, obfuscation, and persistence techniques makes this dropper a dangerous example of AutoIT-based malware.
๐ What Undercode Say:
This infection technique reflects a growing trend: the blending of old-school scripting tools with modern stealth tactics. AutoIT, much like VBA macros or PowerShell, continues to be a playground for attackers who seek to bypass conventional security measures. Here’s why this specific malware sample is worth paying attention to:
- Dual AutoIT Layering: The use of two distinct scripts โ one simple, the other obfuscated โ enables the attacker to hide the actual payload until late in the execution chain. This method delays detection and complicates static analysis.
Interpreter Delivery: Dropping an AutoIT interpreter (
Guard.exe) locally ensures that even systems without AutoIT installed can run the second-stage script. This increases compatibility and reduces the risk of failure.Obfuscation with Wales: Encoding strings as ASCII codes is a rudimentary but effective form of obfuscation. It defeats many automated detection tools and complicates quick analysis by reversing engineers.
Antiviral Evasion: String checks like
ProcessExists('avastui.exe')highlight how malware tries to remain dormant or change behavior in sandboxed or protected environments.Startup Persistence via .url Shortcut: This is a clever abuse of Windows features. The use of a
.urlfile instead of a registry entry or scheduled task sidesteps many conventional persistence scanners.JavaScript Bridge to AutoIT: Combining JavaScript and AutoIT allows attackers to create multi-layered execution flows that confuse endpoint security agents.
DLL Injection in jsc.exe: Using a legitimate Windows process as a host for a malicious DLL is a classic technique that enhances stealth. Targeting
jsc.exeโ rarely used in day-to-day operations โ might help the malware evade attention for longer.
8. AsyncRAT and PureHVNC Crossover: While the
Opportunistic Targeting: The vague lure (“1. Project & Profit.exe”) implies broad targeting โ possibly sent via email or cracked software platforms โ aiming to attract users in business or finance sectors.
Forensics Challenge: The obfuscation, scripting chain, and modular delivery make this a challenging case for blue teams. Analysts must trace through PowerShell, AutoIT, JavaScript, and DLL layers to uncover the full behavior.
This dropper demonstrates not only technical craft but also an understanding of how to fly under the radar. The usage of common Windows scripting environments, lightweight interpreters, and encoded payloads make it a powerful method for delivering remote control malware in corporate or personal environments alike.
โ Fact Checker Results:
AutoIT scripting has long been used in malware delivery โ
The malware uses layered obfuscation, persistence, and DLL injection โ
C2 server links are consistent with AsyncRAT and PureHVNC reports ๐๐ต๏ธโโ๏ธ๐ป
๐ฎ Prediction:
With the increasing attention given to PowerShell and macro-based malware by security vendors, attackers are expected to pivot more toward lesser-monitored scripting platforms like AutoIT. Expect a rise in modular droppers using interpreters embedded during runtime, obfuscation through encoded ASCII functions, and multi-script chains involving JS and PowerShell. These attacks will likely be paired with commodity RATs like AsyncRAT and commercial tools like PureHVNC, making them both accessible and dangerous.
Security teams should prepare by enhancing detection for unusual .url shortcut activity, unexpected usage of jsc.exe, and files dropped in C:\Users\Public. Proactive hunting for encoded script strings and unusual AutoIT interpreter activity will become crucial in catching these threats early.
References:
Reported By: isc.sans.edu
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
