AutoHotKey has now become one of the most trendy technologies for building malware, according to several reports put out by cyber-security firms and insights Bleeping Computer received from malware experts.
AutoHotKey, or AHK, is an open-source scripting language developed for the Microsoft Windows operating system back in 2003.
AHK was born when its creator tried and failed to add support for keyboard shortcuts (hotkeys) in AutoIt, a similar Windows scripting language.
The failed attempt to improve the older AutoIt language spurred the AHK creator to put together a new scripting engine that later became AutoHotKey and, which, over the next several years developed into a behemoth on the Windows scripting landscape.
Besides original support for remapping keyboard shortcuts, AutoHotKey is now a powerful system that can now interact with the local filesystem, monitor or close programs, set up scheduled tasks, but also automate repetitive operations inside third-party software.
Furthermore, the AHK scripting language uses a simple syntax that even non-technical users can understand.
AHK goes from aimbots to in-the-wild malware strains
Because of these features, over the years, AutoHotKey became the prime technology used for the creation of aimbots and other game cheating tools. But in recent months, the language has also started catching on with some malware developers, as well.
A first report highlighting the rising number of AHK-based malware came from the security research team at Ixia, who found AHK malware samples distributing cryptocurrency miners and a clipboard hijacker towards the end of February.
Ixia’s findings were doubled this month when another cyber-security firm, Cybereason, published a similar report on another AHK-based malware strain the company discovered and named Fauxpersky because it tried to imitate a Kaspersky antivirus.
New AHK malware strains discovered every day
But these aren’t the only malware strains researchers spotted, and the list of AHK malware is getting larger by the day.
“We are still finding fresh and new samples, both in their content and their structure,” Gabriel Cirlig, a security researcher at Ixia told Bleeping Computer in a private conversation.
“Every day we find the same clipbankers/droppers/keyloggers that only have minor changes done to their code as well as samples that even employ complex obfuscation techniques and file structure,” Cirlig said. “Even as we speak the list is growing faster and faster.”
AHK malware is getting more and more complex
And these malware families are evolving in terms of complexity. For example, Cybereason researchers Amit Serper and Chris Black described Fauxpersky as a very simplistic and unconvincing threat.
“This malware is by no means advanced or even very stealthy,” Serper and Black wrote in their report. “Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file.”
But Cirlig says newer malware strains discovered in recent days are far more advanced, showing that crooks are slowly learning how to utilize AHK for more and more complex tasks.
“The latest that we found, and we’re still analyzing, is the first one to use five different obfuscation functions that intertwine each other,” Cirlig said.
The trend is clear, and that’s that malware authors are increasingly looking at AHK when it comes to choosing the language for their next malware.
AHK is inferior to Python, PowerShell
But Dr. Vesselin Bontchev, a security researcher with decades of experience in the malware community doesn’t believe AutoHotKey will become more than AutoIt achieved —the go-to language when it comes to skid-level malware.
“There is nothing exceptional about it – it’s just a powerful scripting language that allows the simulation of user interaction,” Dr. Bontchev told Bleeping Computer in an email a few weeks back.
“It’s more powerful than the BAT, so it makes sense that people who would write BAT malware would prefer it. Modern scripting languages like Python or PowerShell or VBScript are probably more powerful, but user interaction is harder to simulate with them,” Dr. Bontchev said.
“The usage of some tools is like a fad – they become popular, then their popularity wanes, for no obvious reason,” he added.
AHK has a lot of untapped potential
But for the time being, AHK as a malware trend is here to stay, and may soon replace AutoIt when it comes to quickly putting together simplistic malicious files.
“AutoIt has already established itself as a tool for malware developers, with blog posts all over the internet,” Cirlig told Bleeping Computer. “AHK used to have fewer features (and it still has), but version 2.0 added a bucketload of new stuff that closed the gap.”
“The main difference between AHK and AutoIt is that the first one is open source, while the former is not. This means that if the AHK interpreter becomes too notorious and starts getting more hits on the AV radar, you can build your own pretty easily and have a brand new platform to assist you in malware development.
“I think there’s a lot of untapped potential when it comes to keyloggers,” Cirlig added. “[AHK] started as a keybinding tool after all.”
But while AutoHotKey is quite popular right now and may soon be on par with AutoIt in terms of features, Dr. Bontchev may be right after all, and AutoHotKey may end up a temporary fad until most malware developers realize that AHK is nowhere near on par with more complex scripting languages like PowerShell and Python, which are also already preinstalled on Windows, compared to AHK, which is not.
PS: Since AutoHotKey is a new player on the malware landscape, there aren’t many tools to aid developers in analyzing samples. The Cybereason team released a free tool called ahk-dumper that may help some malware researchers during their work.
Just pushed ahk-dumper to GitHub.
Ahk-dumper will extract AutoHotKey code from a compiled AutoHotKey exe file. It’s super straight-forward and small, only requires the amazing ‘lief’ python library:https://t.co/uXmhk1Dzs3
— Amit Serper (@0xAmit) February 26, 2018