AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[1] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[1] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
AutoIt backdoor has sent a C2 response that was base64-encoded.[1] |
Enterprise | T1083 | File and Directory Discovery |
AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[1] |