AutoIT3 is a scripting language primarily used for Windows automation, known for its simplicity and ability to compile scripts into standalone PE executables. Attackers have exploited AutoIT3 since the late 2000s to create malware that is stealthy due to heavy use of packed data and obfuscation. The analyzed threat involves AutoIT3 compiled scripts that embed files within the executable using the FileInstall() function. This function allows the script to include external files at compile time, which are then extracted to the %TEMP% directory at runtime. The malware samples drop two files: one is an obfuscated shellcode file, and the other is a helper or payload file. The shellcode is deobfuscated using a simple ASCII decrement function (subtracting 1 from each character's ASCII value) and then loaded into executable memory via VirtualAlloc. Execution is triggered using CallWindowProc, a known technique to run shellcode stealthily within user32.dll context. Two identified samples deliver different payloads: one a Quasar Remote Access Trojan (RAT), and another a Phantom stealer, both capable of data exfiltration and remote control. The malware is distributed in ZIP archives containing the compiled AutoIT executable, which has a high detection rate on VirusTotal (33/72). The threat actor’s use of AutoIT3 allows for easy script modification and repacking, making detection and attribution challenging. The obfuscation and packing techniques hinder static analysis, while the runtime shellcode execution evades many traditional antivirus heuristics. This attack vector does not exploit software vulnerabilities but abuses scripting capabilities to deliver and execute malicious payloads.

For European organizations, this threat poses a significant risk primarily to Windows environments where AutoIT3 scripts might be executed or where users might run unknown executables from ZIP archives. The delivered payloads, such as Quasar RAT and Phantom stealer, can lead to severe confidentiality breaches through data theft, unauthorized remote access, and potential lateral movement within networks. The stealthy nature of the shellcode execution complicates detection and response, increasing dwell time and potential damage. Sectors with high-value data or critical infrastructure, including finance, healthcare, and government, could face targeted attacks leveraging this technique. The malware’s ability to evade signature-based detection and its use of legitimate Windows API calls for execution increase the likelihood of successful compromise. Additionally, the ease of modifying AutoIT scripts means attackers can rapidly adapt payloads to bypass defenses. The threat could also facilitate ransomware deployment or espionage campaigns if combined with other attack stages. Overall, the impact includes loss of data confidentiality, integrity risks due to unauthorized code execution, and potential availability issues if systems are manipulated or disrupted.

European organizations should implement advanced endpoint detection and response (EDR) solutions capable of behavioral analysis to detect unusual use of AutoIT scripts and suspicious API calls such as VirtualAlloc and CallWindowProc. Specifically, monitoring for the creation of unexpected files in %TEMP% directories, especially those extracted by FileInstall() or similar functions, can help identify malicious activity. Restrict execution of AutoIT compiled scripts from untrusted sources and enforce application whitelisting policies to prevent unauthorized binaries from running. Network segmentation and strict access controls can limit the spread of RATs and stealers if initial compromise occurs. Employ threat hunting to search for indicators of compromise related to AutoIT malware, including hashes of known samples and suspicious script behaviors. Educate users about the risks of opening executables from ZIP files received via email or downloads. Regularly update antivirus and endpoint protection signatures, but do not rely solely on them due to obfuscation techniques. Finally, consider deploying script-blocking policies or disabling AutoIT execution where not required, and monitor PowerShell and scripting environments for anomalous activity that may indicate similar attack patterns.