LTS Secure Warning: AutoIT-Complied Payload Being Delivered In New MalSpam Campaign
Researchers have discovered a new malspam campaign, delivering payloads such as spyware (Negasteal or Agent Tesla) and RAT (Warzone or Ave Maria). Threat actors behind the campaign are making use of AutoIT-obfuscated RAR & LZH compressed archives to evade detection.
The email is constructed in a way to be seen like a financial document or shipment advisory with an attached .RAR file. Once the user downloads & extracts the attachment, it drops the AutoIT obfuscated malware strains on the user’s machine.
The obfuscation technique used here has two layers, helping it bypass endpoint solutions.
- The malware binaries are obfuscated into AutoIT scripts in the first phase.
- The script is then compiled into an executable, with the help of AutoIT compiler.
- Logs user’s keystrokes.
- Stealing sensitive/confidential information.
- Enumerate files, directories & drives.
- List out the process running and kill them, if needed so.
- Delete files.
- Uninstalling itself at will.
- Implement Principle of least privilege.
- Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
- Always update your anti-virus software with the latest releases.
- Periodically run “full system scan” on your endpoints.
- Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.