AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352.  This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
|Enterprise||T1088||Bypass User Account Control||AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.|
|Enterprise||T1132||Data Encoding||AutoIt backdoor has sent a C2 response that was base64-encoded.|
|Enterprise||T1083||File and Directory Discovery||AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.|
|Enterprise||T1086||PowerShell||AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.|
Groups that use this software:APT33