Back in May 2013 Trend Micro noted that AutoIT was on the rise as a go-to development language for malware, citing its “ridiculously easy” user experience that allows for quick coding. It enables everything from simple scripts that change text files to scripts that perform mass downloads with complex GUIs. One commonly seen nefarious AutoIT tool code was observed being uploaded to Pastebin as a keylogger – evidence, the firm said, that AutoIT was going to break out in a big way.
Now, Trend Micro says that its suspicions have proved out. The Zeus variant for instance arrives with a malicious AutoIT file and garbage files, via spammed email messages. It drops a configuration file that contains a list of its targeted banks and other financial sites, but also steals the aforementioned additional information.
It also spotted two other malware samples, Chisburg and Eupuds, that have been updated to use the same AutoIT packer. “The new AutoIt packer tool code found online contains the ability to propagate via removable drives, has installation routines and checks installed antivirus software on the system,” said Mark Joseph Manahan, in a blog. “Furthermore, its code has garbage codes and obfuscated functions to make it harder to analyze. And while these malware are old, they remain to be an effective means to steal information, especially with the added capability of the AutoIt packer.”
When Chisburg is loaded into memory, it steals user names and passwords from Yahoo, Hotmail, Pidgin, FileZilla, and VPN/ISP credentials, among others. Similarly, Eupuds skims data from the infected systems such as user ID, browser and version and OS version. It also steals information like user names and passwords stored in certain browsers. Cybercriminals may use the gathered information to sell in the cybercriminal underground or to launch other attacks, Trend Micro noted.
“Another problem is the fact that with the incorporation of malware to a scripting language such as AutoIt, it makes analysis arduous especially if there is no decompiler that can aid in the analysis,” Manahan said. “AutoIt is also used by normal applications.”
As always, users should be wary of the email messages they receive, and should avoid executing the attachments that go along with them. Users are also encouraged to regularly update their systems and anti-malware software to ensure protection.