Martijn Lammerts
My own digital place with a little of everything

Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection

By: Hiroyuki Kakara and Kazuki Fujisawa, Cyber Threat Research Team

We discovered a potential targeted attack that makes use of legitimate script engine AutoHotkey,in combination with malicious script files. This file is distributed as an email attachment and disguised as a legitimate document with the filename “Military Financing.xlsm.” The user would need to enable macro for it to open fully, which would use AutoHotkey in loading the malicious script file to avoid detection. It will then enable the threat actors to steal certain information and even download TeamViewer to gain remote access to the system.

If the user enables macro to open the xlsm file, it will then drop the legitimate script engine AutoHotkey along with a malicious script file. Once the AutoHotkey loads the malicious script file, it connects to its C&C server to download and execute additional script files in response to commands from the server. In our observation, it lastly downloaded and executed TeamViewer to gain remote control over the system. However, it can download and execute other script files depending on the command it receives from the C&C server.

Figure 1. Attack chain starting with the arrival of the email with the malicious attachment

The Excel File

The attached excel file is titled “Foreign Military Financing (FMF),” named after a program of the U.S. Defense Security Cooperation Agency. This cover was likely used to further push users to enable content so that they can access confidential information.

Figure 2. Content of the Excel file

At first glance, the excel file seems to only have one filled sheet. However, as can be seen in figure 2, it has another sheet inconspicuously named with a “ ” or a blank space.

Figure 3. HEX strings in the second sheet originally “hidden” using white font

Once the user enables macro for this file, it drops two files through the HEX strings written as binary text in two columns of the blank space sheet. These HEX strings are originally written in white font, to make it appear as if the columns were blank. These dropped files are:

  • Content of column X: 「C:\ProgramData\AutoHotkeyU32.exe」(legitimate AutoHotkey executable file)
  • Content of column Y: 「C:\ProgramData\AutoHotkeyU32.ahk」(malicious script for AutoHotkey created by the attacker)

The malicious string and abuse of AutoHotkey

Depending on the script files, the AutoHotkey application can assign a hotkey or execute any process written in the script file. In this case, the script file AutoHotkeyU32.ahk does not assign a hotkey but it does execute the following commands:

  • Create a link file in the startup folder for AutoHotkeyU32.exe, allowing the attack to persist even after a system restart.
  • Connect to the C&C server every 10 seconds to download, save, and execute script files containing the commands.
  • Send the volume serial number of the C drive, which allows the attacker to identify the victim.

Figure 4. A partial code snippet of AutoHotkeyu32.ahk

Figure 5. A sample C&C response

When the attacker sends a response similar to that shown in the figure 5 sample via the C&C, the script file converts the HEX strings into plain text, which translates to the URL “001::hxxp://” Then it downloads the ahk file (hscreen.ahk) from this URL, saves the file in “%temp%” folder using a random filename, and finally executes it by loading it through AutoHotkeyU32.exe. The URL was no longer available at the time of writing.

Further research uncovered other dropped files involved in this attack. These files allow the attackers to get the computer name and take screen captures. More importantly, one of these files also enables the download of TeamViewer, a remote access tool that gives threat actors remote control over the system.

We have yet to conclude this attack’s exact purpose. For now, we can surmise that it has the makings of a potential targeted attack because of its cyber espionage capabilities, as well as the potential for delivering ransomware and coinminer.

Security recommendations

As we continue to monitor this attack users can conduct re-asses their security measures against similar cases. Against most attacks, users should implement a multilayer defense and have mitigation protocols in place to detect and address intrusions. Users should also take full advantage of their network defense solutions by enhancing settings, especially for macro malware attached emails.

Such attacks highlight the need for caution before downloading files from unknown sources and enabling macro for files from unknown sources. Microsoft provides several security notifications about enabling content.

Other best practices:

  • Consistently check the sender, title, and body for any suspicious details before downloading and opening an attached file.
  • Always check the extension of any attached file to see if it is consistent with the received email.
  • Before enabling content to open a file, check for red flags such as content that urges the user to enable macro, or content that appears blank.

Indicators of Compromise (IoCs)

SHA256 Filename Detection name Description
EFE51C2453821310C7A34DCA3054021D0F6D453B7133C381D75E3140901EFD12 Military Financing.xlsm W2KM_HTV.ZKGD-A Carries the malicious script and AutoHotkeyU32.ahk
43FBDA74A65668333727C6512562DB4F9E712CF1D5AD9DCA8F06AE51BB937BA2 hscreen.ahk TSPY_HTV.ZJGD-A Takes screen captures
ACB3181D0408C908B2A434FC004BF24FB766D4CF68BF2978BC5653022F9F20BE AutoHotkeyU32.ahk BKDR_HTV.ZKGD-A Loads the malicious script
BE6C6B0942AD441953B0ED0C4327B9DED8A94E836EACA070ACA3988BADB31858 hinfo.ahk TSPY_HTV.ZLGD-A Gets the computer name
F64792324839F660B9BDFDA95501A568C076641CF08CE63C1DDBE29B45623AC0 htv.ahk TROJ_HTV.ZJGD-A Downloads and executes TeamViewer




The post Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection appeared first on .