Cisco's RAT-catchers spot sysadmin-targeted phish

Tricks admin tool into sucking down the malware


File this under “it was bound to happen one day”: Cisco has spotted a targeted phishing attack based on a popular sysadmin automation tool.

If someone in the “IT crowd” bunker falls for the phishing attack, Cisco's Talos Group says the payload exploits AutoIT, a scripting admin environment for Windows.

Talos explains what's going on here: the attackers used AutoIT to install a remote access trojan (RAT) on the victims machine, “and maintain persistence on the host in a manner that’s similar to normal administration activity.”

AutoIT then provides a vector by which the attacker can manage a sysadmin's machine, and it's less likely to generate the kind of activity antivirus software might detect.

“The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention” the post says.

The bait is a Microsoft Word document that uses a logo to impersonate a business – the Corlido Group, in the example given – with a macro that downloads and executes the attack binary.

One of the payloads Talos spotted in the attack was the form of an AutoIT script – unusual in itself, since the novel approach left the attackers confident they didn't have to obfuscate what was happening in an encrypted binary. The script “contained the actual functionality that performed anti-analysis checks, payload decryption, malware installation, and persistence.”

Many of the payloads Talos analyses aren't caught by virus scanners (except Cisco's own, naturally), and the usual advice about having e-mail phishing protection and blacklists of malicious Websites (yes, The Borg box-ticks those as well) applies. ®


Biting the hand that feeds IT © 1998–2020