Several new AutoHotKey malware variants have been discovered in recent weeks as threat actors turn to the scripting language to quickly develop new malware variants. The latest discovery – Fauxpersky malware – is very efficient at stealing passwords.

AutoHotKey is a popular open-source scripting language. AutoHotKey make it easy to create scripts to automate and schedule tasks, even inside third-party software. It is possible to use AutoHotKey to interact with the local file system and the syntax is simple, making it straightforward to use, even without much technical knowledge. AutoHotKey allows scripts to be compiled into an executable file that can be easily run on a system.

The usefulness of AutoHotKey has not been lost on malware developers, and AutoHotKey malware is now used for keylogging and to install other malware variants such as cryptocurrency miners, the first of the latter was discovered in February 2018.

Several other AutoHotKey malware variants have since been discovered with the latest known as Fauxpersky, so named because it masquerades as Kaspersky antivirus.

Fauxpersky Malware

Fauxpersky malware lacks sophistication, but it can be considered a significant threat – One that has potential to cause considerable harm. If undetected, it allows the attackers to steal passwords that can be used for highly damaging attacks and give the attackers a foothold in the network.

Fauxpersky malware was discovered by security researchers Amit Serper and Chris Black. The researchers explained in a recent blog post that the malware may not be particularly advanced and stealthy, but it is a threat and could allow the authors to steal passwords to gain access to data.

Fauxpersky infects USB drives which are used to spread the malware between devices. The malware can also replicate across the system’s listed drives. Communication with the attackers is via a Google Form, that is used to send stolen passwords and keystroke lists to the attackers’ inbox. Since the transmission is encrypted, it doesn’t appear to be data exfiltration by traffic monitoring systems.

Once installed it renames the drive and appends “Protected y Kaspersky Internet Security 2017” to the drive name. The malware records all keystrokes made on a system and also adds context to help the attackers determine what the user is doing. The name of the window where the text is being typed is added to the text file.

Once the list of keystrokes has been sent, it is deleted from the hard drive to prevent detection. The researchers reported the new threat to Google which rapidly took down the malicious form although others may well be created to take its place.

AutoHotKey Malware Likely to become More Sophisticated

AutoHotKey malware is unlikely to replace more powerful scripting languages such as PowerShell, although the rise in use of AHK and the number of new variants detected in recent weeks suggest it will not be dropped any time soon. AHK malware has now been discovered with several obfuscation functions to make it harder to detect, and many AV vendors have yet to implement the capability to detect this type of malware. In the short to medium term, we are likely to see an explosion of AHK malware variants, especially keyloggers designed to steal passwords.