Threat Research

Analysis of Lnk Based Obfuscated AutoIt Malware – Docguard | Detect malwares in seconds!

Securonix

An analysis of an LNK-based malware reveals a multi-layer obfuscation and deobfuscation workflow centered on AutoIt, HTA, and PowerShell for downloading and executing payloads. The report traces dropped HTA and ZIP contents, decodes and cleans the AutoIt script, and lists IOCs and sandbox/EDR evasion techniques.

Keypoints

  • The infection chain starts with an LNK file; static analysis and AutoIt deobfuscation focus on its headers/commands.
  • An HTA file is exploited to download and execute a remote PowerShell-based payload from a server.
  • The analysis uncovers a multi-layer deobfuscation workflow, including ascii-decimal strings, custom encoding, and AES encryption.
  • The dropped content includes an embedded ZIP inside solaris.exe with multiple components and obfuscated commands that are decoded to readable actions.
  • The malware performs sandbox/EDR evasion techniques and probes for security software processes as part of defense evasion.
  • IOCs include MD5 hashes, a malicious domain, and an explicit IP address observed in the sample.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The report shows decoding/encoding steps and multiple obfuscation layers. “There is a string of ascii characters in decimal format. It seems to be considered to convert all of them to ascii format and get a new code.”
  • [T1059.001] PowerShell – The HTA-based dropper uses PowerShell to fetch and execute code from a remote server. “downloads and executes an HTA type file with powershell from a remote server.”
  • [T1059.003] Windows Command Shell – The sample contains malicious cmd commands within an obfuscated file. “The first file that the malware starts here is the United file. We can see that it contains malicious cmd commands.”
  • [T1105] Ingress Tool Transfer – The malware downloads an HTA file and executes it via PowerShell from a remote server. “downloads and executes an HTA type file with powershell from a remote server.”
  • [T1057] Process Discovery – The code checks for security-related processes to detect defenses. “Checking avastui.exe, avgui.exe nswscsvc.exe and sophoshealth.exe processes.”

Indicators of Compromise

  • [MD5] context – 848164d084384c49937f99d5b894253e, 3d89cbe9713713fc038093637a602b29, and 13 more hashes
  • [URL] context – mw-solaris[.]com
  • [IP] context – 91[.92.251].35

Read more: https://www.docguard.io/analysis-of-lnk-based-obfuscated-autoit-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint