AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

ID: S0129
Aliases: AutoIt backdoor
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlAutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[1]
EnterpriseT1132Data EncodingAutoIt backdoor has sent a C2 response that was base64-encoded.[1]
EnterpriseT1083File and Directory DiscoveryAutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[1]
EnterpriseT1086PowerShellAutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[1]

Groups

Groups that use this software:

Patchwork

References