AutoHotkey Malware

The AutoHotkey-based malware is a loose category of threats that use the AutoHotkey or AHK scripting language, which automates repetitive tasks in Windows environments. Although AHK isn't as sophisticated as alternatives like Python, threats actors drawn to its ease-of-use may employ it for committing a range of different attacks. Users should have their anti-malware solutions detect, isolate and delete the AutoHotkey-based malware appropriately.

The Trojans That Press Keys Unseen

Easy tools can beget vast families of Trojans, which criminal businesses like HawkEye's spyware and the entire Ransomware-as-a-Service industry so thoroughly demonstrates. One of the later fads in ease-of-use hacking accessibility is AHK or AutoHotkey, a scripting language like Python, PHP, or Java. Its author designed it as an alternative to AutoIT for creating simple functions out of keyboard combinations, such as opening a program after pressing Ctrl + Alt + I. However, criminals are finding new uses for this decade-old language.

The AutoHotkey-based malware isn't a default Windows package and requires dropping and installing a new package, although it's not dependant on having administrator privileges necessarily. Its design lets threat actors use it for high-repetition tasks. Out of the campaigns using the AutoHotkey-based malware that malware experts are verifying, so far, the abuses of the language include:

• The AutoHotkey-based malware can hijack the clipboard by replacing copy-pasted content with its substitute, such as changing a Bitcoin wallet address and, thereby, redirecting a payment.
• The AutoHotkey-based malware can mine for cryptocurrency by using your system's hardware, with the potential for instability, other performance problems, and even temperature and overuse-based hardware failures.
• At least one threat in this category uses the scripting features for pretending that it's a Kaspersky AV product, and has the name of Fauxpersky, as a result.
• Another campaign is employing the AutoHotkey-based malware for its Trojan downloader, which drops other threats, including the TeamViewer RAT, on the computer. The latter gives threat actors control over the system's UI and possible access to information.

More possibilities are likely in the future, and malware experts and other industry researchers note a reasonable chance of evolution in the direction of keyloggers – spyware that specializes in collecting keyboard-typed info.

Cooling Off a Scripting Security Problem

The AutoHotkey-based malware contains a variety of possibilities, and users can't rely on one-size-fits-all strategies or solutions to their attacks. However, e-mail messages carrying corrupted documents remain at the forefront of infection vectors for the AutoHotkey-based malware, as well as other threats. Windows users should avoid interactions with suspicious files without verifying their safety and be on guard against embedded macros or outdated document-reading software particularly.

Because AHK isn't a default Windows component, users should treat the presence of a program that enters automatically as being unsafe. TeamViewer is another example of a not-necessarily-corrupted program that's finding frequent use in Trojan infections. Most anti-malware products should carry threat detection metrics for identifying unwanted software like this in a corrupted context and remove the AutoHotkey-based malware from your system.

The AutoHotkey-based malware's strength lies in how easy putting it together is, and that may or may not suffice for keeping it in regular use within the threatening software industry. As a fad or a long-term trend, the AutoHotkey-based malware is just as threatening as a Python Trojan or a JavaScript exploit, either way.