LTS Secure Warning: AutoIT-Complied Payload Being Delivered In New MalSpam Campaign

Researchers have discovered a new malspam campaign, delivering payloads such as spyware (Negasteal or Agent Tesla) and RAT (Warzone or Ave Maria). Threat actors behind the campaign are making use of AutoIT-obfuscated RAR & LZH compressed archives to evade detection.

Technical Details

The email is constructed in a way to be seen like a financial document or shipment advisory with an attached .RAR file. Once the user downloads & extracts the attachment, it drops the AutoIT obfuscated malware strains on the user’s machine.

The obfuscation technique used here has two layers, helping it bypass endpoint solutions.

• The malware binaries are obfuscated into AutoIT scripts in the first phase.
• The script is then compiled into an executable, with the help of AutoIT compiler.

Impact

• Logs user’s keystrokes.
• Stealing sensitive/confidential information.
• Enumerate files, directories & drives.
• List out the process running and kill them, if needed so.
• Delete files.
• Uninstalling itself at will.

Recommended Actions

• Implement Principle of least privilege.
• Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.