AutoHotkey Password Stealer Targeting US and Canadian Bank Users

Recent cybersecurity research has unveiled a sophisticated credential-stealing malware, implemented using AutoHotkey (AHK), targeting financial institution clients across the US and Canada. This campaign, ongoing since early 2020, emphasizes the alarming trend of cybercriminals employing customized tools for data theft.

Among the victims are customers of several prominent banks, including Scotiabank, Royal Bank of Canada, and HSBC, as well as Alterna Bank, Capital One, and EQ Bank. Notably, India’s ICICI Bank has also been identified as a target. This specific focus on financial institutions illustrates the high stakes for sensitive customer data, making these entities prime candidates for credential exfiltration attacks.

AutoHotkey, an open-source scripting language for Windows, has gained notoriety for its versatility in automating tasks. The malware begins with a malware-infused Excel file containing a Visual Basic for Applications (VBA) macro designed to execute automatically. This initial mechanism ensures delivery of the downloader script (designated as “adb.ahk”) via a legitimate AHK script compiler, indicating a nuanced approach leveraging trusted software.

The downloader script is crucial for establishing persistence on infected machines, gathering victim profiles, and retrieving additional AHK scripts from various command-and-control (C&C) servers located in the US, Netherlands, and Sweden. Notably, this malware operates distinctively by executing downloaded scripts rather than receiving direct commands from the C&C server, allowing for customized functionalities geared towards individual victims.

Trend Micro researchers highlight that this approach can tailor malicious operations to specific users or groups while minimizing exposure of the core components to cybersecurity defenses. Such adaptability exemplifies higher-level capabilities often associated with “hack-for-hire” models in cybercrime, especially given the inclusion of usage instructions in Russian.

The malware’s technical design includes a credential stealer targeting major web browsers like Google Chrome, Microsoft Edge, and Opera. Once executed, the malware seeks to download an SQLite module for executing SQL commands against browser databases, further facilitating data extraction. Ultimately, it collects and decrypts stored credentials before transmitting this sensitive information in plaintext back to the C&C server.

The organized nature of the malware’s code, alongside its procedural and scriptable operation, suggests the application of several tactics from the MITRE ATT&CK framework. Techniques likely employed include initial access through malicious attachments, persistence via script execution, and exfiltration through HTTP requests. The amalgamation of these tactics underscores the critical need for advanced detection strategies to mitigate the risks posed by such targeted cyber campaigns.

The escalation in sophistication and organization of this credential-stealing malware necessitates heightened vigilance within the business sector, especially among financial institutions handling sensitive customer data. Companies are urged to review their cybersecurity protocols, enhance employee training on recognizing phishing attempts, and implement robust, proactive defense mechanisms to counteract this evolving threat landscape.