The banking sector has always been an attractive target for cyber-criminals. After Zeus and Gozi emerged in 2007, prominent banking Trojans regularly made the headlines by emptying accounts of customers. Recently, security researchers have spotted yet another member of the financial malware family. This time the campaign is aimed at the US and Canadian banking sector, which has been targeted by a new credential stealer since early 2020.
While the malicious activity originated in the first months of 2020, security researchers detected the new credential stealer only in Q3 2020. Evidently, it applies effective evasion techniques. First of all, the malware is composed in AutoHotKey (AHK) scripting language that means it might be launched without a built-in compiler on a compromised PC. Secondly, the threat loads each malicious component separately, using distinct AutoHotKey scripts for various targets. A combination of these features allows the credential stealer to remain unseen by researchers and evade sandbox detection.
Another remarkable aspect of this malicious campaign is that it might be launched within a “hack-for-hire” model. The malicious software components are strictly systematized. Additionally, detailed instruction comments for the main function and variables are provided. Those are indicators the malware might have been developed to be used on an as-a-service basis. Notably, the instructions are written in the Russian language, which indicates a possible country of origin for the developers.
A multistage infection chain starts with macro-laced Excel documents, presumably distributed via malspam and spear-phishing. In case a victim was tricked to enable a VBA AutoOpen macro, the document drops and launches the AutoHotKey (AHK) downloader client script (adb.ahk) with the help of a portable AHK script compiler (adb.exe). In this context, adb.ahk is used for persistence and for marking targets. Particularly, it uses the C drive volume serial number to produce personalized IDs for each victim. This ID remains constant and is utilized to track down successful infections.
After the compilation and achieving persistence, the credential stealer drops a “sqlite3.dll” on the affected device. This DLL launches SQL queries to retrieve login data from a vast array of browsers, including Microsoft Edge, Google Chrome, Opera, Firefox, and Internet Explorer (IE). Then the stolen credentials are decrypted and sent to the C2 server via an HTTP POST request. It’s worth noting, the IE password stealer component uses an open-source malicious code converted to AutoHotKey language, while other components are custom and AHK native.
Considering the evasive capabilities of the new AutoHotKey malware, proactive attack detection is a priority task. Find the traces of a recently discovered credential stealer targeting the US and Canada with free detection content released on the Threat Detection Marketplace by Osman Demir:
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
Tactics: Credential Access, Persistence, Command and Control
Techniques: Credentials from Web Browsers (T1503), Shortcut Modification (T1023), Standard Application Layer Protocol (T1437)
Sign up for free to the Threat Detection Marketplace and find more valuable SOC content for proactive attack detection. Be welcome to join our Threat Bounty Program to craft your own Sigma rules and become a part of the SOC Prime threat hunting community.