Overview

AhnLab SEcurity intelligence Center (ASEC) releases weekly information about malware distributed via phishing emails under the title “Weekly Phishing Email Distribution Cases” on the ASEC Blog.

 

While .NET-based malware was previously the most common type in EXE file distributions, there has been a recent surge in malware created using AutoIt. Additionally, the Infostealer XLoader was the most widely distributed. Other malware strains were also found being distributed including SnakeKeylogger, RedLine, AgentTesla, and RemcosRAT.

 

AutoIt is a scripting language developed to perform automated tasks on the Windows operating system, and it can be easily compiled into an EXE file. Since it requires minimal setup and does not need extra library installations, it is relatively easier to create than the “.NET” type.

 

Perhaps for that reason, the AutoIt malware types have increased sharply since August 2024 while .NET malware types have continued to decrease. This report examines monthly malware trends and 3 specific examples of AutoIt attacks that are being distributed.

 

Distributiion Statistics

While the “.NET” malware type was previously dominant, there has been a recent surge in malware strains created using AutoIt. Starting from August 2024, there was a significant increase in its distribution. The gap between .NET malware distribution and other malware decreased to less than double, and by December, this difference had virtually disappeared. Figure 1 below shows a gradual decrease in the “.NET” malware distribution.

 

※ Values in the graph range from 0 to 10. A higher number signifies that more malware strains are being distributed.

 

 

Figure 1. Statistics graph of the 2024 distribution

The most probable reason for this trend is that compiling with AutoIt is relatively easier and has fewer dependencies than “.NET”. Additionally, the distribution numbers for both decreased significantly in December, which could be a temporary situation.

 

 

AutoIt Structure

Before getting into the distribution cases, this part will explain about AutoIt briefly: AutoIt is a scripting language developed to perform automation tasks on the Windows operating system, and it can be easily compiled into an EXE file. Compared to other languages, it has fewer dependencies on settings or environments and does not require separate library installations.

 

Up to v3.3.8.1, the script is included encrypted in the EXE’s overlay section when you compile a script into an EXE file and the overlay section is decrypted upon execution.

Figure 2. AutoIt EXE structure compiled with v3.3.8.1

 

In later versions, AutoIt stores the encrypted string in the RCData resource section when the program is compiled into an EXE file. This section is then decrypted upon execution.

Figure 3. AutoIt EXE structure compiled with v3.3.16.1

 

This report provides detailed distribution cases of AutoIt malware according to their structures.

MD5

001c439ef3941045f1d139d2172fc922

0084fa11e77425fd332e10928312f760

013eddd3584c1bebdff3e5efc99ef3d7

0154fe9c5f4ad81beeedcf4fdb397ed4

02371e83603c6f0718c1297bb9c92139