There is a unique and ongoing RAT delivery campaign that started in February of this year.
This campaign is unique in that it heavily uses the AutoHotKey scripting language-a fork of the AutoIt language that is frequently used for testing purposes.
Starting in February, at least four versions of the RAT delivery campaign were identified, each of which includes multiple advancements and adaptations over the past three months.
Techniques that the attackers use, include:
- Manifest flow hijack through VbsEdit manipulation
- UAC bypass
- Emulator bypass
- Tampering with Microsoft Defender and other antivirus products
- In-place compilation
- Delivery through text share services
The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script.
This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command.
In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions.