A malicious AutoIT executable opens Gmail login pages and steals clipboard data, captures keystrokes, and controls system behavior. It can evade detection by blocking user input. Users should be cautious with files from untrusted sources.
Analysis with Detect-It-Easy (DIE) reveals that the malware is an AutoIT executable originally named “File.exe.” It imports several obfuscated libraries, suggesting the use of obfuscation techniques.
The use of four different networking libraries indicates that the malware likely performs network-related activities. The analysis suggests that the malware is designed to carry out harmful actions and possibly compromise network systems. Using the AutoITExtractor tool, the original script can be retrieved from the compiled AutoIT executable, revealing the malware’s malicious intent in plain text.
The script includes clear instructions to find and open popular web browsers, directing them to the Google sign-in page (accounts.google.com), indicating that it targets Google user accounts and possibly other platforms.
The binary analysis shows no direct malicious URLs, but the script tries to access Google accounts and includes generic login links for various social media sites.
While the browsers appear to function normally, a hidden function sets up a listening socket under certain conditions, suggesting possible backdoor or remote access trojan activity that could compromise user data or network connections. If the socket setup fails, the malware uses the WSAGetLastError Windows API to retrieve the error code, as noted during dynamic analysis.
When the infected browsers run, they spawn multiple processes using command-line parameters likely linked to network communication, indicating the malware’s intent to establish connections or perform network actions. The malware’s initial process creates a hidden page in Firefox and attempts to connect to a network.
If successful, the malware is designed to implement keylogging, screen capturing, and file enumeration. However, testing showed no such activity, suggesting no connection to a command and control server was made.
SonicWall has released a new signature, MalAgent.AutoITBot, to protect against this threat. The malware, identified by the file hash 6a4d5fa1f240b1ea51164de317aa376bbc1bbddeb57df23238413c5c21ca9db0, will now be detected and blocked to prevent harm to customers.
Leave A Comment