US And Canadian Banking Customers Being Targeted By AutoHotKey-Based Credential Stealer
An ongoing campaign initiated in the early 2020s was discovered with bad actors that were distributing a new credential or password stealer which was written in AutoHotKey (AHK) scripting language.
AutoHotKey is built and aimed at serving easy shortcut keys for macro-creation and software automation that could allow users of Windows to repeat and automate tasks for any application. It is a custom scripting language and open-source software.
The primary targets for the credential extraction are the customers of financial institutions of the US and Canada, and primary bank targets are Royal Bank of Canada, Alterna Bank, EQ Bank, Scotiabank, Capital One, HSBC, and Manulife. The ICICI Bank which is an Indian Banking Firm was also included in the list.
Everything starts with a malware-laced Excel file that is embedded with Visual Basic AutoOpen macro, whose main function is to drop the downloader client script and execute it through an admissible and portable AHK script compiler.
The downloader client script was capable of endurance, profiling victims, and downloading and running additional AHK scripts. These additional AHK scripts were downloaded from the Command-and-Control servers that were located in Sweden, Netherlands, and the US.
This process of downloading and executing scripts from the Command-and-Control servers to accomplish various tasks makes the malware different from others that receive commands directly from the Command-and-Control servers. In addition to being different for using this process, it gives the attackers the choice of customization i.e. the attackers can upload different scripts for different groups and users and unique scripts for specified targets. This also prevents being revealed publicly or to researchers completely.
The Chief script is the main script that deals with credential-stealing and targets browsers like Opera, Microsoft Edge, Google Chrome, etc. for such purposes. Once the credential stealer script – Chief is installed on the target system, it attempts to download the SQLite module which will be used to run SQL queries on the SQLite database inside the browser’s app folders.
In the end, the credential stealer script collects credentials from browsers, decrypts them, and transmits all this data to the Command-and-Control server in plaintext through an HTTP POST request.
Researches noticed that the malware components were organized at the code level and included usage instructions. This hints that there could be a group from the “hack-for-hire” community that is causing this attack and is a part of their offered service for others.
The researchers winded up by Concluding that “By using a scripting language that lacks a built-in compiler within a victim’s operating system, loading malicious components to achieve various tasks separately, and changing the C&C server frequently, the attacker has been able to hide their intention from sandboxes”.
If you like this article, follow us on Twitter, Facebook, Instagram and LinkedIn.