The sub-techniques beta is now live! Read the release blog post for more info.

AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

ID: S0129
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1088 Bypass User Account Control

AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[1]

Enterprise T1132 Data Encoding

AutoIt backdoor has sent a C2 response that was base64-encoded.[1]

Enterprise T1083 File and Directory Discovery

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[1]

Enterprise T1086 PowerShell

AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[1]

Groups That Use This Software

ID Name References
G0040 Patchwork [1]
G0064 APT33 [2]