Recent AHK abuse

An ongoing malware marketing campaign has been located that makes use of AutoHotkey (AHK) scripting language to supply more than one RATs, which include LimeRAT, AsyncRAT, Houdini, Vjw0rm, and Revenge RAT. Until now, at least 4 distinct variations of this malware marketing campaign were located considering that February.

What happened?

According to researchers from Morphisec Labs, the RAT shipping marketing campaign begins off evolved from an AHK compiled script. The script consists of the AHK interpreter, script, and any record it has delivered through the FileInstall command.

In the primary variation of the assault, first visible on February 17, the attackers encapsulated the dropped RAT with an AHK executable and disabled Microsoft Defender with the Batch script and a shortcut (.LNK) record pointing to that script.
A 2d model first that regarded on March 31 blocked connections to antivirus answers with the aid of using tampering with the victim's host record. This manipulation denied DNS decision for the ones domain names with the aid of using resolving the localhost IP deal with as opposed to the actual one.
The 0.33 loader chain, first noticed on April 8, changed into handing over LimeRAT through an obfuscated VBScript, that is then decoded right into a PowerShell command that retrieves a C# payload.
On May 2, a fourth assault chain used an AHK script to run a proper application, earlier than handing over a VBScript that runs an in-reminiscence PowerShell script to get the HCrypt loader and set up AsyncRAT.

Recent AHK abuse

This isn’t the primary time that cybercriminals have abused the AHK to avoid detection.

Last December, a credential stealer, written in AHK changed into observed concentrated on monetary establishments withinside the U.S. and Canada.
In March, the Mekotio banking trojan changed into located to be abusing AHK and AHK compiler to avoid detection. The trojan changed into stealing users’ facts and concentrated on Spanish users.


By the usage of the AHK scripting language, attackers are capable of concealing their purpose from sandboxes. Moreover, the latest marketing campaign is the usage of progressive strategies to supply more than one malware. Protecting such threats calls for a proactive technique to security, and therefore, businesses are encouraged to proactively audit their vital assets.

Leave a Reply

Your email address will not be published. Required fields are marked *