LTS Secure Warning: AutoIT-Complied Payload Being Delivered In New MalSpam Campaign

Researchers have discovered a new malspam campaign, delivering payloads such as spyware (Negasteal or Agent Tesla) and RAT (Warzone or Ave Maria). Threat actors behind the campaign are making use of AutoIT-obfuscated RAR & LZH compressed archives to evade detection.

 

Technical Details

The email is constructed in a way to be seen like a financial document or shipment advisory with an attached .RAR file. Once the user downloads & extracts the attachment, it drops the AutoIT obfuscated malware strains on the user’s machine.

The obfuscation technique used here has two layers, helping it bypass endpoint solutions.

  • The malware binaries are obfuscated into AutoIT scripts in the first phase.
  • The script is then compiled into an executable, with the help of AutoIT compiler.

 

Impact

  • Logs user’s keystrokes.
  • Stealing sensitive/confidential information.
  • Enumerate files, directories & drives.
  • List out the process running and kill them, if needed so.
  • Delete files.
  • Uninstalling itself at will.

 

Recommended Actions

  • Implement Principle of least privilege.
  • Never download any suspicious attachments or click on any shady-looking link. Take an effort to educate your users on how to identify a mal-spam.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.
LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013

Leave us a messages Leave us a messages

← Prev Step

Thanks for contacting us. We'll get back to you as soon as we can.

Please provide a valid name, email, and question.

Powered by LivelyChat
Powered by LivelyChat Delete History