Account Takeover Fraud , Cybercrime as-a-service , Fraud Management & Cybercrime

New AutoHotkey-Based Malware Targets US, Canadian Banks

Malware Steals Banking Credentials rrom Different Browsers
New AutoHotkey-Based Malware Targets US, Canadian Banks
The malware's attack chain. (Source: Trend Micro)

Researchers from security firm Trend Micro have found a new infostealer malware strain, written in the AutoHotkey programming language, that is capable of stealing banking credentials from different web browsers.

See Also: OnDemand Webinar | Cloud applications: A Zero Trust approach to security in Healthcare

The campaign, which began earlier this year, has been active across the U.S and Canada and has targeted the customers of Scotia Bank, PayPal, Royal Bank of Canada, Capital One and HSBC, among other banks.

"In mid-December, we discovered a campaign that distributed a credential stealer. By tracking the campaign components, we found out that its activity has been occurring since early 2020," Trend Micro notes. "Our telemetry tracked the malware's command-and-control servers and determined that these come from the U.S., the Netherlands, and Sweden. We also learned that the malware has been targeting financial institutions in the US and Canada.”

Malware Capabilities

The new malware is written in AutoHotkey or AHK, which is an open-source scripting programming language that is used for software automation in Windows devices, Trend Micro says.

An attack begins with the malware being sent to the victim in an email as a malicious Excel file. When this is opened and executed, it brings an AHK downloader into the victim’s devices. The downloader consists of multiple malware components designed to achieve persistence, profiling victims and downloading and executing additional AHK scripts.

In the next stage of the attack, the malware downloads the browser credential stealer, which then proceeds to take the encrypted credentials from various browsers, such as Microsoft Edge, Google Chrome, Opera and Firefox.

In the final stage of the attack, the malware decrypts the exfiltrated data and sends it to the command-and-control servers via an HTTP POST request. What is unique to this malware is its reliance on AHK files to receive commands instead of a command-and-control server.

"By doing this, the attacker can decide to upload a specific script to achieve customized tasks for each user or group of users. This also prevents the main components from being revealed publicly, specifically to other researchers or to sandboxes," the report notes.

AutoHotkey Malware

While AHK malware is relatively rare, with many strains compiled using Python or C++, it is not a unique situation, as researchers have spotted AHK strains in the wild, Trend Micro says.

In April 2019, Trend Micro reported on another AHK malware that enabled the attackers to steal information to gain remote access to systems.

In another case, Check Point found that an AHK malware campaign used a Trojanized version of TeamViewer - a widely used remote access and desktop sharing software – to infect several embassies in Europe, including those of Nepal, Guyana, Kenya, Italy, Liberia, Bermuda and Lebanon (see: Trojanized TeamViewer Attacks Reveal Mutating Malware).

In August 2019, the security firm Avast said it disrupted Retadup malware written in both AutoIt and AHK scripts. The malware was estimated to have infected 850,000 Windows devices across 150 nations and was used by the attackers to mine for monero cryptocurrency (see: Police Trick Malware Gang Into Disinfecting 850,000 Systems).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.