New Trojan.AutoIt.1443 Hits 28,000 Users via Game Cheats, Office Tool


Trojan.AutoIt.1443 targets 28,000 users, spreading via game cheats and office tools. This cryptomining and cryptostealing malware bypasses antivirus detection by using fake system components and file injection techniques.

Cybersecurity researchers at Doctor Web or Dr.Web have discovered a new cyber attack targeting thousands of users across Russia and neighbouring countries with Trojan.AutoIt.1443.

This campaign uses trojans disguised as office programs, game cheats, and online trading bots, infecting computers with cryptomining and cryptostealing malware. The attack also exploits fake system components, scripting tools, and file injection techniques to spread its malicious code.

Malware Delivery and Execution

The infection begins when unsuspecting users click on fraudulent links shared on platforms like GitHub and YouTube. These links lead to downloads of password-protected archives that can bypass basic antivirus scans. Once the password is entered, a sequence of files and scripts is extracted, which makes the malware installation possible.

YouTube videos involved in the malicious campaign (Credit: Dr.Web)

According to Dr.Web’s technical blog post, the infection relies on several key components to carry out its malicious activities. One of these is UnRar.exe, a legitimate program used to open RAR files. However, alongside it are scripts named Iun.bat and Uun.bat, which work behind the scenes to schedule tasks that set up the malware and erase any evidence afterwards.

Another important part of the attack is hidden within files called ShellExt.dll and UTShellExt.dll. These files, although seemingly harmless, actually trigger a malicious script disguised as a regular system tool. This script is written in AutoIt, a programming language typically used for automating tasks on Windows, but here, it’s being exploited to help the malware blend in and avoid detection.

The Malware’s Operations

Once activated, the malware scans for any debugging tools that may interrupt its execution. If no debugging software is detected, it proceeds to establish network access through the Ncat network utility, executing additional files to cement its presence within the system. It also manipulates the system registry, employing the Image File Execution Options (IFEO) technique to achieve persistence.

The IFEO technique allows developers to debug applications by redirecting system processes to other executables. However, in this campaign, cybercriminals exploit this functionality to execute malicious code every time system services or even trusted applications like Chrome or Edge update. This trick gives the malware control over critical system functions.

Cryptomining and Cryptostealing

The malware performs two main malicious tasks: cryptomining and cryptostealing. First, it uses a file called DeviceId.dll, disguised as part of the .NET framework, to install a cryptomining program known as SilentCryptoMiner. This program quietly runs on infected computers, using their processing power to generate cryptocurrency for the attackers without the user’s knowledge.

Second, it employs a file named 7zxa.dll, which looks like it belongs to the legitimate 7-Zip program, but actually contains a “clipper” tool. This tool monitors the clipboard for cryptocurrency wallet addresses, swapping them with the attackers’ addresses to divert funds.

So far, this technique has allowed the hackers to steal over $6,000. Both of these malicious files are hidden within the system by injecting them into the Windows Explorer process. This sneaky method, known as Process Hollowing (very similar to Process Doppelgänging), allows the malware to run unnoticed, leading to multiple instances of the Explorer process running at the same time, which is a sign of infection.

It is also worth noting that the infection chain of Trojan.AutoIt.1443 is similar to a recently discovered variant of Lua malware, which is distributed as an installer or a ZIP archive, often disguised as game cheats or other gaming-related tools.

Widespread Impact and Prevention Measures

This campaign has affected over 28,000 users, primarily in Russia but also in nearby countries such as Belarus, Kazakhstan, and Turkey. Most victims were tricked into installing pirated software, emphasizing the risks of downloading software from untrusted sources.

To protect against such threats, users are advised to:

  • Use reliable antivirus solutions.
  • Download software only from trusted sources.
  • Regularly update security software to detect the latest threats.
  • Avoid using pirated programs, as they often come bundled with malicious files.

As malware attacks become more advanced, unsuspected users need to stay alert and follow safe computing practices to avoid getting infected. Since cybercriminals are always finding new ways to attack, it’s important for users to stay up to date on the latest threats and security tips to protect their systems. Stay informed and follow Hackread.com for more.

  1. Fake League of Legends Download Ads Drop Lumma Stealer
  2. Global malspam targets hotels, spreading Redline, Vidar stealers
  3. Fake Windows site dropped Redline malware as Windows 11 upgrade
  4. Fake CAPTCHA Verification Pages Spreading Lumma Stealer Malware
  5. Ransomware Hidden as a Game: Kransom’s Attack Via DLL Side-Loading





Source link