"Malware Actors Have Begun Using AutoHotkey Scripts For Attacks"

Living-off-the-Land (LotL) attacks involve the use of trusted pre-installed system tools to avoid installing foreign files or tools, thus allowing threat actors to hide their malicious activity. New LotL attacks have been overserved using AutoHotkey, which is a free, open-source scripting language for Microsoft Windows. AutoHotkey allows users to create scripts for various tasks such as auto-clicking, form fillers, and more. A recent attack that occurred in mid-May 2021 was observed misusing AutoHotkey. The Remote Access Trojan (RAT) delivery campaign started with an AutoHotkey-compiled script that loaded an executable, which branched into one of four versions when it ran. These versions involved different VBScripts and malware payloads, including Houdini, VjW0rm, and HCrypt. One of the ways companies can defend themselves against attacks via AutoHotkey scripts is to invest in security awareness training programs that use phishing tests. Such tests will make employees more familiar with email-based attacks. In addition to awareness training, companies are encouraged to carefully review native apps and tools used by employees to perform their normal work activities. This article continues to discuss the concept of LotL attacks, examples of malicious campaigns in which AutoHotkey scripts were used, and how employers can defend themselves against such attacks. 

Security Intelligence reports "Malware Actors Have Begun Using AutoHotkey Scripts For Attacks"