RAT Dropped By Two Layers of AutoIT Code

May 21, 2025, 9:47 p.m.

Description

A malware attack involving multiple layers of AutoIT code has been discovered. The initial file, disguised as a project file, contains AutoIT script that generates and executes a PowerShell script. This script downloads an AutoIT interpreter and another layer of AutoIT code. Persistence is achieved through a startup shortcut. The second layer of AutoIT code is heavily obfuscated and ultimately spawns a process injected with the final malware, likely AsyncRAT or PureHVNC. The attack utilizes various techniques including file downloads, script execution, and process injection to deliver and maintain the malicious payload.

External References

https://isc.sans.edu/diary/rss/31960
https://otx.alienvault.com/pulse/682afb96260a8200f94a1698
Tags
rat
asyncrat
autoit
2025-05-19

Date

  • Created: May 19, 2025, 9:36 a.m.
  • Published: May 19, 2025, 9:36 a.m.
  • Modified: May 21, 2025, 9:47 p.m.

Indicators

  • b5fbae9376db12a3fcbc99e83ccad97c87fb9e23370152d1452768a3676f5aeb
  • https://xcvbsfq32e42313.xyz/hYlXpuF.txt
  • https://xcvbsfq32e42313.xyz/OLpixJTrO
  • xcvbsfq32e42313.xyz
Download all indicators here!

Attack Patterns

  • AsyncRAT