AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

ID: S0129
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

AutoIt backdoor has sent a C2 response that was base64-encoded.[1]

Enterprise T1083 File and Directory Discovery

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[1]

Groups That Use This Software

ID Name References
G0064 APT33


G0040 Patchwork