Find AutoHotkey installations in your organization
AutoHotkey, an open-source scripting language for Windows, used for form fillers, auto-clicking, macros, etc. has been the target of multiple malware attacks. On its own, AutoHotkey isn't dangerous or malicious, it relies completely on scripts to perform actions. However, recently attackers have been using AutoHotkey scripts to deliver remote access trojans (RAT) such as Revenge RAT, LimeRAT,AsyncRAT, Houdini and Vjw0rm hidden in a usable Autohotkey script.
Detect AutoHotKey Malware Scripts
The infection begins with an AutoHotKey executable that proceeds to execute different VBScripts which will load the RAT on the affected system. Another variant of this malware blocks connections to antivirus solutions by adjusting the host file on the affected system.
Morphisec states that all the different attack chains are attributed to the same threat actor: the AHK script is used to disable Microsoft Windows Defender.
They used rare techniques such as:
- UAC Bypass
- Emulator Bypass
- Tampering with Microsoft defender and antivirus products
- Delivery through text share services
- Manifest flow hijack through VbsEdit manipulation
To prevent these malware campaigns from affecting your organization, it is useful to start with finding exactly which machines in your organization have the capability to run these scripts. The report below provides an overview of all AutoHotkey installations in your network along with the version.
AutoHotkey Software Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetUnique, tblAssets.Domain, tblAssets.Username, tblADusers.Displayname As [User], tblSoftwareUni.softwareName As software, tblSoftware.softwareVersion As version, tblSoftwareUni.SoftwarePublisher As publisher, tsysOS.Image As icon, Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, tblassets.Lasttried, tblassets.Lastseen From tblSoftware Inner Join tblAssets On tblSoftware.AssetID = tblAssets.AssetID Inner Join tblSoftwareUni On tblSoftware.softID = tblSoftwareUni.SoftID Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysOS On tblAssets.OScode = tsysOS.OScode Left Join tblADusers On tblADusers.Username = tblAssets.Username And tblADusers.Userdomain = tblAssets.Userdomain Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Where tblSoftwareUni.softwareName Like '%autohotkey%' And tblAssetCustom.State = 1 Order By tblAssets.AssetName, software, version