Last year, my colleague Itai Liba blogged about the association between malware and AutoIt, a very convenient environment for malware and tools development. AutoIt allows both easy interface creation for rapid development and full Windows API access for whatever is not directly supported. We have seen an increase in the use of AutoIt scripts by malware authors and other bad guys to achieve their malicious ends.
Recently, we have seen AutoIt-compiled programs that drop malicious Bitcoin mining programs. The malware authors are using not only encrypted code but are also focusing on antianalysis code to bypass common analysis tools/systems used by security researchers. We have come across such multiple malicious tools on public forums that offer free premium accounts to online hosting services. Interestingly, if you run one of these malicious programs under VMware, the malware won’t run and throws up an error message that looks genuine.
Looking at the preceding message, most of us will think that the program has problem with its Internet connection or firewall and few may think to examine this further. But this malicious program can detect VMware, Sandboxie, and other spy programs, and deliberately displays this error to avoid analysis by researchers. Let’s find the cause of this error. Searching strings in the main program tells us that the program has been compiled using AutoIt.
Decompiling the program using Exe2Aut gives us the full original script code along with the embedded encrypted file 1.crypt. The decompiled code has about 2,000 lines; most of the code is from the AutoIt wrapper for WinHTTP functions called WinHTTP.au3. Here is snippet of exact code:
This code is not used at all. It’s here just to divert the attentions of researchers from looking into the main code. Here is the start-up code of this script:
The preceding code displays splash screen and finds required paths by detecting the operating system. The code then checks for the Sandboxie process SbieCtrl.exe and if that process is detected exits by displaying a similar error message as seen earlier. The script then calls the function _checkforspy(). The program doesn’t run any GUI offering free premium accounts and throws up a similar error message even if it runs on a clean system. Here is how the _checkforspy() code looks:
This function calls two more functions: one to check if the system is a virtual PC and the second to find analysis programs such as SysTracer, oSPY, API Monitor, etc. by looking at open program windows. Here is the itsvirtualpc() function:
The script checks for the presence of driver files VboxMouse.sys and vmmouse.sys to detect a virtual operating system and exits immediately by showing the “Connection failed” error. That’s the reason this program will not run under VMware. We can’t further analyze the malicious code. We could recompile the script by commenting out the antianalysis code with the help of AutoIt. Let’s now look at the _install() function of the same code:
The script drops GoogleSetup.exe in the Windows directory and installs the encrypted file 1.crypt by calling the _crypt_decryptfile function. The file 1.crypt is encrypted using the $CALG_AES_128 algorithm with the key fuck123. The script writes a registry key and runs GoogleSetup.exe. The dropped executable is again an AutoIt-compiled program that drops a CPU-miner program similar to this CPUminer. Here is the code that drops and runs the Bitcoin-mining code:
The dropped miner program keeps on sending POST requests to the mining service shown below:
Attackers have used AutoIt scripts for a long time, and it is gaining popularity due to its flexible and powerful nature. The output of the AutoIt script is a single executable, with no dependencies, that contains a script and attached binaries. Although AutoIt-compiled programs are easy to decompile with the help of antianalysis code and encrypted malicious code, they can evade manual as well as automated analysis.