Overlay RAT Malware Uses AutoIt Scripting to Bypass Antivirus Detection

This post was co-authored with X-Force researcher Gadi Ostrovsky

---

IBM X-Force Research follows the cybercrime arena across the globe to map the trends that shape online crime in each region. Brazil is a thriving region for financial malware, where malicious developers create various malware types to target local users with identity theft and online banking fraud.

In the past year, we have observed the rise of malware, such as Client Maximus and similar codes, that uses remote access with overlay screens for bank fraud operations in Brazil. Recently, we detected a remote access Trojan (RAT) malware that uses the same overall technique, but with an added twist to its antivirus evasion method.

A Delphi-Based RAT Pulling AutoIt Tricks

Malware developers that target Brazilian banks are often concerned with evading antivirus (AV) software. To evade detection, they commonly attempt to disable the running AV or find another workaround to avoid it.

X-Force Research recently observed an overlay RAT malware using the AutoIt framework to bypass AV detection in attacks against Brazilian bank targets. The AutoIt framework is an open source tool. It’s a BASIC-like scripting language designed to automate functions in the Windows user interface as well as general scripting tasks. AutoIt runs on all versions of Windows.

Within this context, the malware’s developer uses AutoIt to prevent static AV detection from recognizing the malware’s hash signature. To accomplish that, the malware’s developer compiled the malicious code with an AutoIt script and runs it as a valid AutoIt framework process where the malicious payload is loaded into an AutoIt process memory address space.

Continue reading the analysis here.