AutoIT3 is a scripting language popular for automating Windows tasks and capable of compiling scripts into standalone PE executables. Attackers exploit AutoIT3's FileInstall() function, which embeds external files into compiled scripts, to drop obfuscated shellcode onto infected systems. When executed, the compiled script extracts the embedded payload (e.g., a file named 'inhumation' or 'buncal') into the %TEMP% directory. The shellcode is obfuscated using a simple ASCII decrement function and then read into memory. The script allocates executable memory via VirtualAlloc with appropriate permissions, copies the shellcode into this memory, and executes it using the CallWindowProc API from user32.dll, a known technique to evade detection. Samples analyzed include executables delivering Quasar RAT and Phantom stealer malware. The use of packed data and obfuscation enhances stealth. This attack vector has been observed in recent waves, indicating active use by threat actors. The malware does not require user interaction beyond execution and does not rely on known exploits but on script-based payload delivery and execution.

For European organizations, this threat poses a risk primarily to Windows endpoints where AutoIT3 scripts or executables are used or can be executed. The stealthy nature of the payload delivery and execution can lead to undetected persistence, data exfiltration, and remote access via RATs like Quasar. The Phantom stealer component can compromise credentials and sensitive information, impacting confidentiality. The ability to execute arbitrary shellcode in memory without dropping traditional malware files increases the difficulty of detection and remediation. Sectors with high automation reliance or legacy script usage, such as manufacturing, finance, or government, may face increased exposure. The medium severity reflects the potential for significant impact if the malware is deployed successfully, especially in environments lacking robust endpoint detection and response capabilities.

1. Implement strict application whitelisting to prevent unauthorized execution of AutoIT3 compiled scripts, especially those delivered via email or downloaded from untrusted sources. 2. Monitor and alert on the use of the FileInstall() function within AutoIT scripts, particularly when scripts drop files into temporary directories. 3. Employ endpoint detection solutions capable of detecting in-memory shellcode execution and suspicious API calls such as VirtualAlloc and CallWindowProc. 4. Conduct regular audits of automation scripts and executables to identify and remove legacy or unauthorized AutoIT3 scripts. 5. Use sandboxing and detonation environments to analyze suspicious AutoIT executables before allowing them in production. 6. Educate users and administrators about the risks of executing unknown scripts and the signs of AutoIT-based malware. 7. Restrict write permissions to %TEMP% directories and monitor file creation activities in these locations. 8. Integrate threat intelligence feeds to detect known hashes and indicators related to these threats. 9. Harden email and web gateways to block ZIP archives containing executable files or scripts. 10. Maintain up-to-date antivirus and endpoint protection platforms with heuristic and behavioral detection capabilities.