Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection (Apr 17, 2019)
A phishing campaign has been observed by researchers from Trend Micro that contain a macro-enabled document that exploits the legitimate script engine, “AutoHotKey.” AutoHotKey will run a malicious script that establishes a connection to a Command and Control (C2) server which then executes an additional script in response to commands received from the C2. The C2 can also send commands to take screen captures of the infected device, obtain device information, as well as install the Remote Access Tool (RAT), “TeamViewer,” that can give the threat actor remote control over the system.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management to assist in identifying potential malicious communications.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.