AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

ID: S0129
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1088 Bypass User Account Control AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[1]
Enterprise T1132 Data Encoding AutoIt backdoor has sent a C2 response that was base64-encoded.[1]
Enterprise T1083 File and Directory Discovery AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[1]
Enterprise T1086 PowerShell AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[1]

Groups

Groups that use this software:

APT33
Patchwork

References