AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

ID: S0129
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1088 Bypass User Account Control

AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[1]

Enterprise T1132 Data Encoding

AutoIt backdoor has sent a C2 response that was base64-encoded.[1]

Enterprise T1083 File and Directory Discovery

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[1]

Enterprise T1086 PowerShell

AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[1]

Groups That Use This Software

ID Name References
G0040 Patchwork [1]
G0064 APT33 [2]