![]() By default (with no parameter), this executable executes a script with the same name in the same directory. The adb.exe is a legitimate portable AHK script compiler, and its job is to compile and execute the AHK script at a given path. ![]() The dropped adb.exe and adb.ahk play critical roles in this infection. We also learned that the malware has been targeting financial institutions in the US and Canada. Our telemetry tracked the malware’s command-and-control (C&C) servers and determined that these come from the US, the Netherlands, and Sweden. The full attack chain is depicted in Figure 1. In turn, this file contains an AHK script compiler executable, a malicious AHK script file, and a Visual Basic for Applications (VBA) AutoOpen macro. The malware infection consists of multiple stages that start with a malicious Excel file. By tracking the campaign components, we found out that its activity has been occurring since early 2020. We also learned that the main code components of this campaign is written in AHK. In mid-December, we discovered a campaign that distributed a credential stealer. AHK also allows users to create a “compiled”. In particular, AHK is an open-source scripting language for Windows that aims to provide easy keyboard shortcuts or hotkeys, fast micro-creation, and software automation. Python, AutoIT, and AutoHotkey (AHK) are some examples of such a scripting language. One way involves using a scripting language that has no built-in compiler within a victim’s operating system, and which can’t be executed without its compiler or interpreter. ![]() Threat actors are always looking for a way to execute files on a victim machine and stay undetected. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |