One of the hottest trends in malware design is AutoHotKey, security researchers say. AutoHotKey or AHK for short is an open-source scripting language that was written for Windows in 2003.
In detail, the open-source language was initially aimed at providing easy keyboard shortcuts or hotkeys, fast macro-creation and software automation to allow users to automate repetitive tasks in any Windows application. The tool has been widely known in the gaming industry where gamers employ it to script monotonous tasks. However, recently its interpreter has been bloated with sophisticated tools to access underlying apps, says Gabriel Cirlig, a senior software engineer, in a blog post.
What Is AutoHotKey All About?
AutoHotKey has a large list of capabilities starting from keyboard shortcuts, macro-creation, and software automation. That’s not the tool can do – it can also set up Windows Event Hooks, inject VBScript/JScript, and even inject DLLs in other process’ memory, the expert said. On top of everything, since it is a reputable tool it has gathered a “sizeable community” that has aided pushing the tool’s interpreter into the whitelists of a prevalent number of AV vendors.
Unfortunately, due to its popularity and whitelisting capabilities, AutoHotKey has attracted the attention of malware coders who have been using the scripting language to remain undetected on systems and spread various types of malicious payloads.
AHK-based malware was even found to distribute cryptocurrency miners and a particular clipboard hijacker known as Evrial.
While exploring the daily plethora of AHK scripts, we found some eerily similar snippets of code. Turns out all of them are based on a popular script for clipbankers roaming in the wild. The principle of operation for this malware is simple: it stays resident in memory and listens for any activity in your clipboard. When it contains anything resembling a crypto wallet, it replaces the content with its own wallet address, thus tricking you into sending funds to him instead.
Furthermore, researchers from security firm CyberReason also stumbled upon malware, an AHK-based credentials stealer that “masquerades as Kaspersky Antivirus and spreads through infected USB drives”. Researchers named this piece Fauxpersky.
“This AHK keylogger utilizes a fairly straightforward method of self propagation to spread. After the initial execution, the keylogger gathers the listed drives on the machine and begins to replicate itself to them,” the researchers said.
AHK-Based Malware Quickly Evolving
As it appears, the Fauxpersky sample analyzed by Cybereason wasn’t at all complex. However, researchers come across more advanced and evolved malware strains on a daily basis. These samples reveal that their coders are gaining more knowledge in how to utilize AutoHotKey in their malicious operations. The latest piece of AHK-based malware has used fife different obfuscation functions that intertwine each other.
All of these recent discoveries point that malicious coders have found a new favorite scripting tool to use for the development of new malware.