Listen to this Post
2025-05-19
Unpacking a Modern Multi-Stage Infection Technique Using AutoIT Scripts
AutoIT may seem like an outdated scripting language, but cybercriminals still find new ways to use it for malicious intent. A recent discovery reveals a Remote Access Trojan (RAT) cleverly concealed behind two obfuscated layers of AutoIT code, proving that even older tools in the malware arsenal remain dangerously effective. This analysis walks through how attackers leveraged AutoIT to deploy malware, maintain persistence, and possibly launch remote control attacks using well-known payloads like AsyncRAT and PureHVNC.
🧠 Here’s What Happened:
A suspicious file named “1. Project & Profit.exe” kicked off the infection chain. While it looks like a harmless executable, it’s actually a compiled AutoIT script. Once decompiled, several embedded URLs and file paths become visible, such as:
`hxxps://xcvbsfq32e42313[.]xyz/OLpixJTrO`
Downloads like `Guard.exe` (an AutoIT interpreter)
Scripts including `PublicProfile.ps1` and `Secure.au3`
The first layer of code does the following:
1. Drops and runs a PowerShell script (`PublicProfile.ps1`).
2. Downloads an AutoIT interpreter (`Guard.exe`).
- Retrieves a second AutoIT script to continue the infection.
Persistence is ensured via a .url shortcut placed in the Windows Startup directory, which points to a malicious JavaScript file (SwiftWrite.js). This JS file re-launches the AutoIT interpreter (SwiftWrite.pif) along with the second stage of the payload (G).
The second AutoIT layer is heavily obfuscated using a custom function called Wales. Strings like "80]114]111]99]101]115]..." are encoded ASCII values which, once decoded, become readable commands such as:
“`
ProcessExists(avastui.exe)
“`
This suggests the malware is checking if antivirus software is active before proceeding.
Eventually, the attack spawns a jsc.exe process and injects a DLL named Urshqbgpm.dll, suspected to be a variant of AsyncRAT. The malware tries to contact a command-and-control (C2) server at 139[.]99[.]188[.]124:56001, a known endpoint for AsyncRAT activity. Interestingly, the DLL also includes signs of PureHVNC, a remote-access malware offered on dark web forums.
🔎 What Undercode Say:
This infection chain showcases how older scripting languages like AutoIT can still be exploited for sophisticated cyberattacks. Despite AutoIT’s original purpose as a simple automation tool for Windows tasks, its ability to interact deeply with the OS makes it a weapon of choice for malware developers.
Key takeaways from this attack pattern:
Layered Delivery Mechanism: Using two layers of AutoIT scripting allows attackers to avoid basic antivirus detections. The first script drops an interpreter and then downloads an obfuscated second script. This modular design is both stealthy and flexible.
Custom Obfuscation with Wales: By converting readable strings into numerical ASCII representations, the malware evades string-based detection techniques. The Wales decoding function highlights the deliberate effort to cloak the malicious intent.
Persistence via Startup Shortcut: Instead of common registry edits, the malware uses a .url shortcut pointing to a JavaScript file. This method is simple but effective in reinitiating the infection on reboot.
Use of PowerShell: PowerShell is a go-to for malware operators. In this case, the dropped script PublicProfile.ps1 likely helps in preparing the environment for deeper compromise.
DLL Injection into Legitimate Process: The final stage, where Urshqbgpm.dll is injected into jsc.exe, allows the malware to run under a legitimate system process, increasing stealth.
AsyncRAT and PureHVNC Integration: These two tools provide attackers full remote control, screen sharing, keylogging, and credential theft features. This combination suggests the malware is designed for espionage, financial theft, or long-term access.
The use of known RATs indicates that the campaign likely targets small to medium-sized enterprises or individuals, especially those with outdated defenses. The inclusion of antivirus detection logic also shows that attackers are keen to stay under the radar, avoiding unnecessary exposure.
✅ Fact Checker Results:
✔ The URLs and file paths in the malware match known AutoIT-based attack patterns
✔ Obfuscation through encoded strings using custom decoding functions is a common stealth technique
✔ The use of AsyncRAT and PureHVNC suggests high potential for remote control and data exfiltration
🔍👁️🗨️🛡️
🔮 Prediction:
Expect more malware campaigns to leverage lightweight scripting platforms like AutoIT, VBScript, and JavaScript. These tools are often overlooked by traditional antivirus software and allow for intricate, multi-stage infections. As this case demonstrates, combining script obfuscation with DLL injection and remote access tools creates a potent threat, particularly for unpatched systems and unsophisticated networks. Defenders should monitor script-based behaviors, look for unusual AutoIT usage, and ensure system logging is enabled to trace any shadowy executables trying to re-launch themselves through the Startup folder.
References:
Reported By: isc.sans.edu
Extra Source Hub:
https://www.instagram.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
