Cisco Threat Research - Malware Meets SysAdmin – Automation Tools Gone Bad
August 2015 by Cisco
Cisco’s Talos Security Intelligence and Research Group has released its latest blog post, detailing its research into a new and unique type of targeted phishing attack.
As opposed to other phishing campaigns such as Dridex, Upatre and Cryptowall, this targeted attack is utilising AutoIT, a well-known and legitimate freeware administration tool for automating system management that is used in corporate environments. The group found that by using AutoIT, adversaries can successfully install Remote Access Trojans and remotely control compromised hosts to conduct malicious operations, such as exfiltrating sensitive information. These campaigns are highly and particularly effective at remaining hidden and evading detection by traditional anti-virus technologies due to their ability to appear highly credible to users and maintain a presence on the host that is similar to normal administration activity.