{"id":1150,"date":"2020-12-31T14:57:41","date_gmt":"2020-12-31T14:57:41","guid":{"rendered":"https:\/\/zerothcode.com\/blog\/?p=1150"},"modified":"2020-12-31T14:57:41","modified_gmt":"2020-12-31T14:57:41","slug":"banking-malware-password-stealer","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/banking-malware-password-stealer\/","title":{"rendered":"AutoHotkey-Based Password Stealer Targeting US, Canadian Banking Users"},"content":{"rendered":"

banking-malware Threat actors have been discovered distributing a new credential stealer written in AutoHotkey (AHK) scripting language as part of an ongoing campaign that started early 2020.<\/p>\n

banking-malware Customers of financial institutions in the US and Canada are among the primary targets for credential exfiltration, with a specific focus on banks such as Scotiabank,<\/h4>\n

Royal Bank of Canada, HSBC, Alterna Bank, Capital One, Manulife, and EQ Bank. Also included in the list is an Indian banking firm ICICI Bank.<\/p>\n

AutoHotkey\u00a0is an open-source custom scripting language for Microsoft Windows aimed at providing easy hotkeys for macro-creation<\/p>\n

and software automation that allows users to automate repetitive tasks in any Windows application.<\/p>\n

The multi-stage infection chain commences with a malware-laced Excel file that’s embedded with a Visual Basic for Applications (VBA)\u00a0AutoOpen\u00a0macro,<\/p>\n

which is subsequently used to drop and execute the downloader client script (“adb.ahk”) via a legitimate portable AHK script compiler executable (“adb.exe”).<\/p>\n

\n
\"banking-malware\"<\/a>
banking-malware<\/figcaption><\/figure>\n<\/div>\n

The downloader client script is also responsible for achieving persistence, profiling victims,<\/p>\n

and downloading and running additional AHK scripts from command-and-control (C&C) servers located in the US, the Netherlands, and Sweden.<\/p>\n

What makes this malware different is that instead of receiving commands directly from the C&C server,<\/p>\n

it downloads and executes AHK scripts to accomplish different tasks.<\/p>\n

“By doing this, the attacker can decide to upload a specific script to achieve customized tasks for each user or group of users,” Trend Micro researchers\u00a0said in an analysis.<\/p>\n

“This also prevents the main components from being revealed publicly, specifically to other researchers or to sandboxes.”<\/p>\n

Chief among them is a credential stealer that targets various browsers such as Google Chrome, Opera, Microsoft Edge, and more.<\/p>\n

Once installed, the stealer also attempts to download an SQLite module (“sqlite3.dll”) on the infected machine, using it to perform SQL queries against the SQLite databases within browsers’ app folders.<\/p>\n

In the final step, the stealer collects and decrypts credentials from browsers and exfiltrates the information to the C&C server in plaintext via an HTTP POST request.<\/p>\n

Noting that the malware components are “well organized at the code level,”<\/p>\n

the researchers suggest the inclusion of usage instructions (written in Russian) could imply a “hack-for-hire” group that’s behind the attack chain’s creation and is offering it to others as a service.<\/p>\n

“By using a scripting language that lacks a built-in compiler within a victim’s operating system,<\/p>\n

loading malicious components to achieve various tasks separately, and changing the C&C server frequently, the attacker has been able to hide their intention from sandboxes,”<\/p>\n

the researchers concluded.<\/p>\n

Read More :https:\/\/zerothcode.com\/blog\/hackers-install-backdoor-mssql-hacking\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

banking-malware Threat actors have been discovered distributing a new credential stealer written in AutoHotkey (AHK) scripting language as part of<\/p>\n","protected":false},"author":1,"featured_media":1151,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[255,394,696,1198,389],"class_list":["post-1150","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=1150"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1150\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/1151"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=1150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=1150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=1150"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=1150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}