AutoHotkey Malware Audit

Find AutoHotkey installations in your organization

AutoHotkey, an open-source scripting language for Windows, used for form fillers, auto-clicking, macros, etc. has been the target of multiple malware attacks. On its own, AutoHotkey isn't dangerous or malicious, it relies completely on scripts to perform actions. However, recently attackers have been using AutoHotkey scripts to deliver remote access trojans (RAT) such as Revenge RAT, LimeRAT,AsyncRAT, Houdini and Vjw0rm hidden in a usable Autohotkey script.

Detect AutoHotKey Malware Scripts

The infection begins with an AutoHotKey executable that proceeds to execute different VBScripts which will load the RAT on the affected system. Another variant of this malware blocks connections to antivirus solutions by adjusting the host file on the affected system.

Morphisec states that all the different attack chains are attributed to the same threat actor: the AHK script is used to disable Microsoft Windows Defender.

They used rare techniques such as:

  • UAC Bypass
  • Emulator Bypass
  • Tampering with Microsoft defender and antivirus products
  • Delivery through text share services
  • Manifest flow hijack through VbsEdit manipulation

To prevent these malware campaigns from affecting your organization, it is useful to start with finding exactly which machines in your organization have the capability to run these scripts. The report below provides an overview of all AutoHotkey installations in your network along with the version.

 

AutoHotkey Software Query

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetUnique,
tblAssets.Domain,
tblAssets.Username,
tblADusers.Displayname As [User],
tblSoftwareUni.softwareName As software,
tblSoftware.softwareVersion As version,
tblSoftwareUni.SoftwarePublisher As publisher,
tsysOS.Image As icon,
Case 
When tblErrors.ErrorText Is Not Null Or 
tblErrors.ErrorText != '' Then 
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg 
Else '' 
End As ScanningErrors,
tblassets.Lasttried,
tblassets.Lastseen
From tblSoftware
Inner Join tblAssets On tblSoftware.AssetID = tblAssets.AssetID
Inner Join tblSoftwareUni On tblSoftware.softID = tblSoftwareUni.SoftID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode
Left Join tblADusers On tblADusers.Username = tblAssets.Username And
tblADusers.Userdomain = tblAssets.Userdomain
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, 
Max(tblErrors.Teller) As ErrorID 
From tblErrors 
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = 
ScanningError.ID 
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = 
tblErrors.ErrorType 
Where tblSoftwareUni.softwareName Like '%autohotkey%' And
tblAssetCustom.State = 1
Order By tblAssets.AssetName,
software,
version

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit