Autoit

Malware updated 8 months ago (2024-11-29T14:51:35.115Z)

Download STIX

Preview STIX

AutoIt is a type of malware, a malicious software designed to exploit and damage computers or devices. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, AutoIt can steal personal information, disrupt operations, or even hold data hostage for ransom. This malware is used in campaigns that employ AutoIt or AutoHotkey scripts to infect victims with DarkGate. The AutoIt script then launches command files and downloads a Python infostealer, causing further harm to the infected system. The attack chain of AutoIt involves an SFX archive that unpacks an AutoIt script and executes a file named "MicrosoftStores.exe". This file then launches the tool MeshAgent, advancing the infection within the system. Additionally, AutoIt uses a variety of programming languages including C++, .NET, Python, VBS, and AutoIt itself. Tools such as tcpview, wireshark, fiddler, procexp, df5serv, OllyDbg, x64dbg, x32dbg, WinDbg, among others, are involved in the process. In the next stage of the infection chain, two DLL files are introduced which use the same technique as the first stage: a legitimate AutoIt interpreter and another A3X implant located in the signature of the legitimate dynamic library. Interestingly, the AutoIt interpreter reads files specified in its launch argument in a unique manner. This sophisticated and multilayered approach makes AutoIt a particularly damaging and persistent form of malware.

Description last updated: 2024-11-28T11:46:02.241Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Payload

Windows

Loader

Scripting

Python

Credentials

Tool

Sandbox

PowerShell

Antivirus

Infostealer

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Darkgate Malware is associated with Autoit. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	4
The Lumma Stealer Malware is associated with Autoit. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was di	Unspecified	3
The Lumma Malware is associated with Autoit. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers re	Unspecified	2

Source Document References

Information about the Autoit Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	19 days ago	Fix the Click: Preventing the ClickFix Attack Vector
SANS ISC	2 months ago	RAT Dropped By Two Layers of AutoIT Code - SANS Internet Storm Center
Unit42	2 months ago	DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt
Fortinet	3 months ago	Horabot Unleashed: A Stealthy Phishing Threat \| FortiGuard Labs
Securelist	3 months ago	How Lumma Stealer sneaks into organizations
Unit42	3 months ago	Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis
Malwarebytes	4 months ago	AMOS and Lumma stealers actively spread to Reddit users
Securelist	5 months ago	New wave of targeted attacks of the Angry Likho APT on Russian organizations
Fortinet	5 months ago	FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant \| FortiGuard Labs
InfoSecurity-magazine	5 months ago	Evolving Snake Keylogger Variant Targets Windows Users
Pulsedive	6 months ago	Assemblyline for Open Source Malware Triage \| Tool Guide
Malwarebytes	6 months ago	ClickFix vs. traditional download in new DarkGate campaign
Trend Micro	6 months ago	Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response
Trend Micro	6 months ago	Trend Micro™ Managed XDR Analysis of Infection From Fake Installers and Cracks
DARKReading	7 months ago	Microsoft Teams Vishing Spreads DarkGate RAT
Unit42	a year ago	DarkGate: Dancing the Samba With Alluring Excel Files
Fortinet	a year ago	Fickle Stealer Distributed via Multiple Attack Chain \| FortiGuard Labs
MITRE	2 years ago	Donot Team Leverages New Framework \| NETSCOUT
Securityaffairs	10 months ago	Awaken Likho APT group targets Russian government with a new implant
Securelist	10 months ago	Analyzing the Awaken Likho APT group implant: new tools and techniques