This article discusses the rise in malware distribution through phishing emails, focusing on the increasing prevalence of AutoIt-compiled malware compared to .NET malware. Notably, XLoader has emerged as the most distributed malware, alongside other threats like SnakeKeylogger and AgentTesla. The article highlights the ease of compiling AutoIt scripts, contributing to its growing use among cybercriminals. Affected: AutoIt, .NET, XLoader, SnakeKeylogger, RedLine, AgentTesla, RemcosRAT
Keypoints :
- The AhnLab Security Intelligence Center regularly reports on malware distributed via phishing emails.
- AutoIt-compiled malware has seen a sharp increase in distribution since August 2024.
- In December 2024, the distribution of AutoIt malware nearly matched that of .NET malware.
- XLoader is currently the most widely distributed type of malware.
- AutoIt is easier to compile and has fewer dependencies compared to .NET.
- Distribution of both AutoIt and .NET malware decreased in December, suggesting a potential trend.
- Detailed distribution cases of AutoIt malware are provided in the report.
MITRE Techniques :
- Execution (T1203) – Malware is executed through phishing emails that trick users into opening malicious attachments.
- Command and Control (T1071) – Compromised systems may communicate with external servers to receive commands.
- Credential Dumping (T1003) – Malware like SnakeKeylogger and AgentTesla may capture user credentials.
Indicator of Compromise :
- [file hash] 001c439ef3941045f1d139d2172fc922
- [file hash] 0084fa11e77425fd332e10928312f760
- [file hash] 013eddd3584c1bebdff3e5efc99ef3d7
- [file hash] 0154fe9c5f4ad81beeedcf4fdb397ed4
- [file hash] 02371e83603c6f0718c1297bb9c92139
- Check the article for all found IoCs.
Full Research: https://asec.ahnlab.com/en/85687/