AutoIT Bot Targets Gmail Accounts First
Summary
This week, the SonicWall Capture Labs threat research team observed an AutoIT-compiled executable that attempts to open Gmail login pages via MS Edge, Google Chrome and Mozilla Firefox. It has functionality to read clipboard data, capture keystrokes, run as different users, and restart or shutdown the system. The sample is also capable of detecting debuggers and blocking user input if one is detected, as well as directing control of keyboard and mouse events. It is imperative to be cautious when running files of unknown origin or with vague names such as “File.exe”. SonicWall customers are protected in the daily update feed via the “MalAgent.AutoITBot” signature.
Technical Analysis
Using the Detect-It-Easy (DIE) tool to review a sample shows the malware as an AutoIT executable. Note the original name was “File.exe”.
Figure 1: DIE Sample detection
Multiple libraries are being imported with no data outside of ordinals identifying the related functions, as well as four separate networking libraries. This indicates the libraries have been obfuscated, and it can be seen by using the DIE tool in Figure 2.
Figure 2: Obfuscated libraries
Using the AutoITExtractor tool we can extract the script shown in Figure 3. This allows us to see it has cleartext commands to find and launch each browser on a Google sign in page (accounts.google.com)
Figure 3: Extracted script contents
Statically analyzing the binary using a disassembler yields there are no hardcoded addresses that are known to be malicious. While the script has each browser attempt to access Google accounts, there are generic login links for Facebook, Reddit, and other major social media sites. While the browsers launch and execute, a separate function will set up a listening socket if the environment is correct and connectivity has been established as shown in Figure 4.
Figure 4: Socket option setup
The malware will call the standard WSAGetLastError Windows API, as seen during dynamic analysis, if the socket setup fails, as seen in Figure 5.
Figure 5: Socket bind operation (failed)
When the browsers are run, they create multiple processes using the following command line structure:
Figure 6: Browser command line commands
The first process creates a hidden, separate page in Firefox, while the second attempts to open the socket.
Once a connection is made, the functions for keylogging, screen capture and further file enumeration take place. This behavior was not observed during testing, however, and no connection was made by a C2 server.
SonicWall Protections
To ensure SonicWall customers are protected against this threat, the following signature has been released:
- MalAgent.AutoITBot
IOCs
File.exe
6a4d5fa1f240b1ea51164de317aa376bbc1bbddeb57df23238413c5c21ca9db0