This week, the SonicWall Capture Labs threat research team identified an AutoIT-compiled executable that targets Gmail login pages across multiple browsers, featuring keystroke logging, clipboard reading, and system control while also employing obfuscated libraries to evade detection. SonicWall released the “MalAgent.AutoITBot” signature to protect customers. #MalAgentAutoITBot #Gmail
Keypoints
- AutoIT-compiled executable named “File.exe” identified as the malware sample.
- Targets Gmail login pages across MS Edge, Google Chrome, and Mozilla Firefox.
- Capable of reading clipboard data and capturing keystrokes.
- Can run as different users and restart or shutdown the system.
- Detects debuggers and blocks user input if one is found.
- Obfuscated libraries indicate advanced evasion techniques.
MITRE Techniques
- [T1003] Credential Dumping – Keylogging functionality to capture user credentials. “Keylogging functionality to capture user credentials.”
- [T1219] Remote Access Tools – Establishes a listening socket for remote control. “Establishes a listening socket for remote control.”
- [T1056] Input Capture – Captures keystrokes to gather sensitive information. “Captures keystrokes to gather sensitive information.”
- [T1027] Obfuscated Files or Information – Uses obfuscated libraries to evade detection. “Uses obfuscated libraries to evade detection.”
Indicators of Compromise
- [File name] – The malware uses the file name File.exe – File.exe
- [Hash] – SHA-256 hash observed: 6a4d5fa1f240b1ea51164de317aa376bbc1bbddeb57df23238413c5c21ca9db0
- [Domain] – Referenced domains that could be targets or indicators: accounts.google.com, facebook.com
Read more: https://blog.sonicwall.com/en-us/2024/08/autoit-bot-targets-gmail-accounts-first/