Overlay RAT Malware Uses AutoIt Scripting to Bypass Antivirus Detection
This post was co-authored with X-Force researcher Gadi Ostrovsky
---
IBM
X-Force Research follows the cybercrime arena across the globe to map the
trends that shape online crime in each region. Brazil is a thriving
region for financial malware, where malicious developers create
various malware types to target local users with identity theft and online
banking fraud.
In the
past year, we have observed the rise of malware, such as Client
Maximus and similar codes, that uses remote access with overlay
screens for bank fraud operations in Brazil. Recently, we detected a remote
access Trojan (RAT) malware that uses the same overall technique, but with an
added twist to its antivirus evasion method.
A Delphi-Based RAT Pulling AutoIt Tricks
Malware
developers that target Brazilian banks are often concerned with evading
antivirus (AV) software. To evade detection, they commonly attempt to disable
the running AV or find another workaround to avoid it.
X-Force
Research recently observed an overlay RAT malware using the AutoIt framework to
bypass AV detection in attacks against Brazilian bank targets. The AutoIt
framework is an open source tool. It’s a BASIC-like scripting language designed
to automate functions in the Windows user interface as well as general
scripting tasks. AutoIt runs on all versions of Windows.
Within
this context, the malware’s developer uses AutoIt to prevent static AV
detection from recognizing the malware’s hash signature. To accomplish that,
the malware’s developer compiled the malicious code with an AutoIt script and
runs it as a valid AutoIt framework process where the malicious payload is
loaded into an AutoIt process memory address space.
Continue
reading the analysis here.
Comments
Post a Comment