Cybersecurity researchers have discovered a sophisticated malware campaign that leverages AutoIT, a scripting language known for its seamless integration with Windows environments.
While AutoIT is often used for automation, threat actors continue to exploit its simplicity and system-level access to carry out complex attacks.
Double-Layered AutoIT Attack Uncovered
The latest attack was triggered through an executable file titled “1. Project & Profit.exe” (SHA256: b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). This file is actually a compiled AutoIT script acting as the initial infection vector.
Once launched, it downloads a secondary AutoIT interpreter (Guard.exe) and a PowerShell script (PublicProfile.ps1), which sets the stage for deeper system compromise.
The infection continues with the retrieval of another script named Secure.au3, strategically saved in the same directory. Persistence is achieved by placing a .url shortcut in the Windows Startup folder. This shortcut silently launches a second AutoIT script referred to as “G”, kicking off the second layer of the attack.
Stealth and Persistence via Obfuscation
The second script (“G”) is heavily obfuscated. It uses a custom string encoding function called “Wales” to hide commands and system calls.
Once decoded using a specific key, the script reveals its intent to evade antivirus detection—searching for processes like avastui.exe and adjusting its behavior accordingly.
Researchers also reverse-engineered a Python version of the Wales function to decode these strings, uncovering how the malware avoids detection and navigates system defenses.
Final Payload and System Hijack
The attack culminates in the use of jsc.exe, a legitimate Microsoft tool, to sideload a malicious DLL named Urshqbgpm.dll.
By abusing trusted system components, the malware hides its activities and maintains a low profile while maintaining access to compromised systems.
The final payload is injected into the system to perform hidden operations without alerting the user.
Analysis of the DLL shows clear links to AsyncRAT, a well-known remote access trojan, through connection attempts to a known C2 server at 139[.]99[.]188[.]124:56001.
The DLL also references PureHVNC, a stealthy remote control tool that gives attackers full GUI access to the victim’s system, enabling silent control and data theft.
The malware is still being studied, but it clearly aims for long-term, targeted access.
Why It Matters
This campaign showcases the evolving sophistication of AutoIT-based malware, where attackers combine simple scripting with advanced techniques like multi-stage loaders, persistence via Startup injection, and string obfuscation.
Admins and security teams should monitor for unexpected use of AutoIT interpreters, analyze .exe files with suspicious names, and watch for unauthorized persistence mechanisms in Startup directories.
As always, keeping antivirus definitions updated, applying endpoint protection, and blocking the use of unauthorized scripting interpreters can reduce exposure to these evolving threats.
![Nifty[.]com Infrastructure Exploited in Phishing Attack](https://firsthackersnews.com/wp-content/uploads/2023/10/Phishing-Attacks_-Recognize-and-Avoid-Email-Phishing-1-500x383.jpg)
Leave A Comment