A targeted phishing attack based on a popular sysadmin automation tool, AutoIT, a scripting admin environment for Windows, researchers said.
Attackers used AutoIT to install a Remote Access Trojan (RAT) on the victims machine, “and maintain persistence on the host in a manner that’s similar to normal administration activity,” said researchers from Cisco’s Talos Group.
AutoIT then provides a vector by which the attacker can manage a sysadmin’s machine, and it’s less likely to generate the kind of activity antivirus software might detect.
“The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention” researchers said in a blog post.
The bait is a Microsoft Word document that uses a logo to impersonate a business – the Corlido Group, in the example given – with a macro that downloads and executes the attack binary.
One of the payloads Talos spotted in the attack was the form of an AutoIT script – unusual in itself, since the novel approach left the attackers confident they didn’t have to obfuscate what was happening in an encrypted binary. The script “contained the actual functionality that performed anti-analysis checks, payload decryption, malware installation, and persistence.”
Many of the payloads Talos found did not end up caught by virus scanners. Researchers said users should step up their email phishing protection and blacklists of malicious Websites.