Targeted phishing attacks are always a challenge to detect due to how convincing and authentic they may appear. Ultimately, the actual payloads for the majority of the samples that the adversaries hosted externally were Remote Access Trojans (RATs). This was also unusual because these bits of functionality are typically concealed and executed from an encrypted binary instead of a script. While the inclusion of AutoIT is unique, the AutoIT script contained the actual functionality that performed anti-analysis checks, payload decryption, malware installation, and persistence.
#CRYPTER AUTOIT ARCHIVE#
As we mentioned earlier, one particular payload that caught our attention was a self-extracting archive that used AutoIT to execute an AutoIT script and several other files. Throughout our investigation, adversaries changed the payload hosted on the external host several times. Figure 1: A screenshot of the Word document, demonstrating how adversaries impersonated a real company to trick the target. The bait in this case is a Microsoft Word document containing a macro that downloads and executes a binary from hxxp://frontlinegulfcom/tmp/adobefile.exe. In this attack, an actual business was impersonated, using the logo and physical address of the business, in order to appear legitimate.
#CRYPTER AUTOIT INSTALL#
The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention.Īnother characteristic of this attack that was notable is how adversaries went to great lengths to spoof a phishing message that would appear credible to the user. The use of AutoIT is potentially an extremely effective method of evading detection by traditional anti-virus technologies and remaining hidden on the system if it is used by the target to manage systems. RATs allow adversaries to fully control compromised hosts remotely to conduct malicious operations, such as exfiltrating sensitive information. In this attack, AutoIT was utilized to install a Remote Access Trojan (RAT) and maintain persistence on the host in a manner that’s similar to normal administration activity. Utilizing AutoIT within a payload is unique because it is a legitimate management tool.
This notable characteristic made this attack worthy of further analysis. This targeted attack was more difficult to detect because adversaries chose to leverage AutoIT, a well known freeware administration tool for automating system management in corporate environments. While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user. Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen. This post was authored by Alex Chiu and Xabier Ugarte Pedrero.