blog.sonicwall.com Open in urlscan Pro
107.154.76.50  Public Scan

URL: https://blog.sonicwall.com/en-us/2024/08/autoit-bot-targets-gmail-accounts-first/
Submission: On September 03 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://blog.sonicwall.com/en-us/

<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
  <div>
    <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello">
    <input type="text" id="s" name="s" value="" placeholder="Search">
  </div>
</form>

Text Content

 * Home
 * Topics
   * All Posts
   * Boundless Cybersecurity
   * BYOD and Mobile Security
   * Cloud Security
   * Education
   * Email Security
   * Government
   * Healthcare
   * Industry News and Events
   * Network Security
   * Partners
   * Retail
   * Small & Medium Businesses
   * SonicWall Community
   * Threat intelligence
   * Wireless Security
 * Authors
 * English
 * Search
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * Menu

 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss




AUTOIT BOT TARGETS GMAIL ACCOUNTS FIRST




By Security News
August 27, 2024


SUMMARY

This week, the SonicWall Capture Labs threat research team observed an
AutoIT-compiled executable that attempts to open Gmail login pages via MS Edge,
Google Chrome and Mozilla Firefox. It has functionality to read clipboard data,
capture keystrokes, run as different users, and restart or shutdown the system.
The sample is also capable of detecting debuggers and blocking user input if one
is detected, as well as directing control of keyboard and mouse events. It is
imperative to be cautious when running files of unknown origin or with vague
names such as “File.exe”.  SonicWall customers are protected in the daily update
feed via the “MalAgent.AutoITBot” signature.


TECHNICAL ANALYSIS

Using the Detect-It-Easy (DIE) tool to review a sample shows the malware as an
AutoIT executable. Note the original name was “File.exe”.



Figure 1: DIE Sample detection

Multiple libraries are being imported with no data outside of ordinals
identifying the related functions, as well as four separate networking
libraries. This indicates the libraries have been obfuscated, and it can be seen
by using the DIE tool in Figure 2.



Figure 2: Obfuscated libraries

Using the AutoITExtractor tool we can extract the script shown in Figure 3. 
This allows us to see it has cleartext commands to find and launch each browser
on a Google sign in page (accounts.google.com)



Figure 3: Extracted script contents

Statically analyzing the binary using a disassembler yields there are no
hardcoded addresses that are known to be malicious. While the script has each
browser attempt to access Google accounts, there are generic login links for
Facebook, Reddit, and other major social media sites. While the browsers launch
and execute, a separate function will set up a listening socket if the
environment is correct and connectivity has been established as shown in Figure
4.



Figure 4: Socket option setup

The malware will call the standard WSAGetLastError Windows API, as seen during
dynamic analysis, if the socket setup fails, as seen in Figure 5.



Figure 5: Socket bind operation (failed)

When the browsers are run, they create multiple processes using the following
command line structure:



Figure 6: Browser command line commands

The first process creates a hidden, separate page in Firefox, while the second
attempts to open the socket.

Once a connection is made, the functions for keylogging, screen capture and
further file enumeration take place. This behavior was not observed during
testing, however, and no connection was made by a C2 server.


SONICWALL PROTECTIONS

To ensure SonicWall customers are protected against this threat, the following
signature has been released:

 * MalAgent.AutoITBot


IOCS

File.exe

6a4d5fa1f240b1ea51164de317aa376bbc1bbddeb57df23238413c5c21ca9db0

 * 
 * 
 * 
 * 
 * 

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets
cross-vector threat information from the SonicWall Capture Threat network,
consisting of global devices and resources, including more than 1 million
security sensors in nearly 200 countries and territories. The research team
identifies, analyzes, and mitigates critical vulnerabilities and malware daily
through in-depth research, which drives protection for all SonicWall customers.
In addition to safeguarding networks globally, the research team supports the
larger threat intelligence community by releasing weekly deep technical analyses
of the most critical threats to small businesses, providing critical knowledge
that defenders need to protect their networks.
Categories: Threat intelligence
Tags: Security News

SHARE THIS ENTRY

 * Share on Facebook
 * Share on Twitter
 * Share on Google+
 * Share on Pinterest
 * Share on Linkedin
 * Share on Tumblr
 * Share on Vk
 * Share on Reddit
 * Share by Mail



https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png
500 1200 Security News
https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png
Security News2024-08-27 05:53:562024-08-27 05:53:56AutoIT Bot Targets Gmail
Accounts First


RECOMMENDED CYBER SECURITY STORIES

JavaScript Code Injection Summary (Dec 17, 2008)
Microsoft IE Vulnerability (CVE-2014-1815) attacks spotted in the Wild
(September 05, 2014)
Microsoft Security Bulletin Coverage (July 10, 2012)
Berbew Backdoor Spotted In The Wild
SQL Injection Attack Wave (Aug 1, 2008)
Beware of weaponized PDF
Hotel Reservation spam campaign leads to Trustezeb Trojan (Feb 17, 2012)
New German Ransomware (May 25, 2012)
Connect with an Expert


SEARCH




FACEBOOK


Recent
Tags
Recent
 * CVE-2024-7928: FastAdmin Unauthenticated Path Traversal...August 28, 2024 -
   8:32 am
 * AutoIT Bot Targets Gmail Accounts FirstAugust 27, 2024 - 5:53 am
 * Cisco Smart Software Manager On-Prem Account TakeoverAugust 21, 2024 - 6:25
   am
 * Understanding CVE-2024-38063: How SonicWall Prevents Ex...August 20, 2024 -
   10:35 am

Tags
802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud
App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS
Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection
endpoint security Firewall Industry Awards IoT Malware MSSP Network Security
news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time
Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst
Partner Program Secure Mobile Access Security Security News SMB SonicWall
Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat
Intelligence Threat Report zero-day


ABOUT SONICWALL

About Us
Leadership
Awards
News
Press Kit
Careers
Contact Us


PRODUCTS

Firewalls
Advanced Threat Protection
Remote Access
Email Security


SOLUTIONS

Advanced Threats
Risk Management
Industries
Managed Security
Use Cases
Partner Enabled Services


CUSTOMERS

How To Buy
MySonicWall.com
Loyalty & Trade-In Programs


SUPPORT

Knowledge Base
Video Tutorials
Technical Documentation
Partner Enabled Services
Support Services
CSSA and CSSP Certification Training
Contact Support
Community

© Copyright 2023 SonicWall. All Rights Reserved.
 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss

Cisco Smart Software Manager On-Prem Account Takeover CVE-2024-7928: FastAdmin
Unauthenticated Path Traversal Vulnerability




PIN IT ON PINTEREST


Scroll to top