Living Off the Land in the 21st Century
During the Middle Ages, a vital aspect of any war was the ability to feed your troops. While the soldiers were mostly encouraged to forage and rely on the rations, they would often supplement their meals by stealing from local villages. This created chaos, incited hatred towards the advancing army and the warlords. Over time, the more disciplined armies asked soldiers to pay the peasants and had better logistics for feeding the troops.
On the digital battlefield, things have also changed over the years. While early malware would sow chaos on the computer they were infecting, the more modern kits have started adopting a stealthier approach. They try to only use tools that come preinstalled on operating systems, generally whitelisted by antivirus engines. This has come to be known as “living off the land”.
One such tool is AutoHotkey, also known in the gaming community as AHK. Initially, gamers use it to script monotonous tasks, to gain an edge over their opponents, from targeting assist in MOBAs to AIMBOTs in shooters, However, recently, it has bloated its interpreter with sophisticated tools to access underlying apps.
AHK — Blessing and Curse
AutoHotkey is an open-source scripting language for Windows, originally aimed at providing easy ways for users of most levels of computer skill to automate tasks in Windows applications — through keyboard shortcuts, fast macro-creation and software automation. However, its list of features doesn’t stop here. It can set up Windows Event Hooks, inject VBScript/JScript and even inject DLLs in other process’ memory. Being a reputable tool, it has gathered over the years a sizeable community that has been able to push its interpreter (a 800kb binary blob) into the whitelists of most of the antivirus vendors.
However, it has also attracted the attention of the wrong type of crowd. Malware authors have started using this scripting engine to fly under the radar and drop a varied range of payloads without triggering any AV alarms.
Looking at 59fd56e2334dcc1614225127d6c2dc4d4816556fe6c7e5d748ab8757035b6cec, we can notice that the file only has 5 detections. This is actually the packer, which leads us to 17f5e0ca54fc2d69b3be5f9a970b8748d9ad477b78d43f507d9dacd4b9226066. Again, we can find a binary with only 5 detections on the AV radar.
There we can notice how the logic is split over a VBS file, a batch file and a mysterious text file. Peeking inside the text file, we can see that it represents the entrypoint for the scripts inside:
After a bit more poking, we can find another script that solves the Rar.exe mystery packed inside the resource named “a” in the screenshot above:
Using the Rar.exe binary provided in the initial package and the password supplied above, we can finally get to the juicy payload which is…
Funny thing, all the dropping logic is written plainly in AHK (the dev got bored in the meantime) and although no evasion technique was used, it still netted a 50% detection rate on a suite of modern antivirus engines.
But what if he didn’t actually get bored, but he bought the dropper as a kit from somewhere deep down the dark web? (shame on him, he only got a couple of bucks off this miner). The theory holds especially when we examine the following malware creators.
High-tech Con Artists
While exploring the daily plethora of AHK scripts, we found some eerily similar snippets of code. Turns out all of them are based on a popular script for clipbankers roaming in the wild. The principle of operation for this malware is simple: it stays resident in memory and listens for any activity in your clipboard. When it contains anything resembling a crypto wallet, it replaces the content with its own wallet address, thus tricking you into sending funds to him instead.
As you can see, the script has a battery of wallets hardcoded which override anything the user might paste. If the transaction is not double checked, then the funds would be sent to the attacker rather than to the intended destination. Whenever funds would be deposited into his account, he would quickly withdraw them and leave his target penniless.
Following up, we can find another script from a different attacker that has the same structure, but has an extra target in its sights: Steam. The Steam trading platform is quite robust and may conduct millions of transactions per day. While technically it is not possible to cash out on your transactions (you can do that only if you plan on purchasing games/items on the Steam store), a lot of black markets are available for the intrepid trader who wants to get rich by selling his inventory.
Thus, every time somebody would copy and paste a transaction and not validate it by hand, the items involved in the transaction would end up in the attacker’s possession. However, Steam accounts can be a huge hole in your OPSEC if care is not taken.
When making transactions, the Steam partnerID is presented to the other party in order to provide an inventory to which the transaction contents will be delivered. Fortunately, only other Steam scammers fall prey to this, as nobody in their right mind initiates a trade with somebody without asking something in exchange.
We can extract a valid steamID from the partnerID and use that to lookup the user behind the malware.
Kudos to “Matt” for his OPSEC. With an inactive account, we can’t do anything other than stare blankly at the screen and curse him.
Another day, another chance to scroll through endless lists of autohotkey scripts, only to find something similar to our beloved clipboard hijacker. Fortunately enough, we soon find somebody who also put his partnerID in his script code as well.
After redoing the correlation procedure between the partnerID and the steamID, we finally find the person behind the malware:
Logging into steam and searching for the username nets us the following page:
We now have a foothold in building the profile for our guy. An avid gamer, passionate about crypto, he wants to make a bit of extra money/steam bling on the side. Unfortunately for him, he was a bit greedy/lazy and also puts his own steam ID inside the malware, leading us to him.
Git Good or Die Trying
But the saga of AHK does not stop here. Digging through the various scripts we encounter, we’ve found our most serious OPSEC offender. Unpacking e52c1f69f680aabf8e6d263660745743960a414fd04d61df337300414d6d4401 yields us a script that looks like this:
How do you bypass most firewalls and filters? Use only the most reputable hosting, of course. Github provides us with just that. Inside, we can find a lot of other projects with different mining clients that are being dropped onto the unsuspecting user. Notice that everything is being hosted under the vvolf2 username.
Using his Github user and the good old trusty Google foo, we discover that behind this nickname hides a real person. After a bit more digging on the internets we finally arrive to his VK page. Unfortunately, the post was deleted, but with some Google magic we managed to snoop this from the cached pages:
But what if he only wants to automate his work and deploy the miner to all his rigs using AHK? Surely there are still legitimate users to these kind of tools. Fortunately for us, a quick correlation between one of the SHAs that point to his github account and the filename led us to an especially shady website which confirmed the malicious intent:
The solution
There isn’t any. The Romans once had a saying “Est modus in rebus”, which basically means “Be moderate in everything you do”. The developers are the front line of defense when it comes to malware like this. Be mindful of what tools you write and always be aware of how they are being used. If need arises, take a step back, look at what you have created, and put checks and bounds on the features that are being mischievously used.
