Hackers revive Word macro malware in AutoIT RAT attack

Hackers have launched phishing attacks on organisations using legitimate automated management tools, according to Cisco.

Fancy rat (pic: Wikimedia/AlexK100/ www.flickr.com/photos/alexk100/1091960123)
Fancy rat (pic: Wikimedia/AlexK100/ www.flickr.com/photos/alexk100/1091960123)

In a blog post by Cisco's Talos security group, criminals have been discovered launching a targeted attack on organisations using AutoIT to install a Remote Access Trojan (RAT) and “maintain persistence on the host in a manner that's similar to normal administration activity”. AutoIT is a well known freeware administration tool for automating system management in corporate environments.

Talos said that the RATs enable hackers to “fully control compromised hosts remotely to conduct malicious operations, such as exfiltrating sensitive information”.

“The use of AutoIT is potentially an extremely effective method of evading detection by traditional anti-virus technologies and remaining hidden on the system if it is used by the target to manage systems,” said Alec Chui, threat researcher at Talos Group. “The combination of a legitimate administration tool being used to install a backdoor onto a target system is unique and is why this attack caught our attention.”

Chui said that another characteristic of the attack was how far hackers would go to spoof a phishing message that looks credible.

“In this attack, an actual business was impersonated, using the logo and physical address of the business, in order to appear legitimate,” said Chui. “The bait in this case is a Microsoft Word document containing a macro that downloads and executes a binary from hxxp://frontlinegulf[.]com/tmp/adobefile.exe.”

Talos said that criminals changed the payload hosted on the external host several times.

“One particular payload that caught our attention was a self-extracting archive that used AutoIT to execute an AutoIT script and several other files. While the inclusion of AutoIT is unique, the AutoIT script contained the actual functionality that performed anti-analysis checks, payload decryption, malware installation, and persistence,” said Chui.

He added that this was unusual because these bits of functionality are typically concealed and executed from an encrypted binary instead of a script.

“Ultimately, the actual payloads for the majority of the samples that the adversaries hosted externally were Remote Access Trojans (RATs),” he added.

Chui said that combatting the threat required organisations to be aware that adversaries will adapt and evolve to overcome any obstacle they face.

“Adversaries will continue to utilise social engineering tactics, such as spoofing document origins and impersonating legitimate businesses, to try and evade detection and trick users. Defenders must remain aware of how adversaries are adapting in order to ensure appropriate detection technologies remain effective,” said Chui.

Steve Ward, senior director at threat intelligence consultancy iSIGHT Partners, told SC Magazine that since Microsoft Word's default setting is to disable macros, “users must be socially engineered into enabling macros for the malicious schemes described to work”.

“Users should be extremely cautious about enabling macros on a document, especially documents from an unknown person. Users should follow up with the sender regarding any documents requesting use of macros that they believe to be legitimate,” he said.

TK Keanini, CTO, Lancope, told SCMagazineUK.com that the attack is clever, but didn't surprise him.

“People in every role need to understand that ‘free' may mean that the cost of security is not your problem, but until we make it a habit to require and validate digital signatures, this problem will persist,” he said.

“At the very least, people who consume what is ‘free' on the internet need to ask: What evidence do I have that this software is safe? Remember, malware and RAT tools are ‘free', too.”