Based on several reports from research firms it would appear that AutoHotKey is been used in the creation of malware. AutoHotKey, often simply referred to as AHK, is an open-source scripting language developed for the Microsoft Windows operating system back in 2003. AHK was born when its creator tried and failed to add support for keyboard shortcuts (hotkeys) in AutoIt, a similar Windows scripting language. Since its creation, it has become a major Windows scripting language. Besides original support for remapping keyboard shortcuts, AutoHotKey is now a powerful system that can now interact with the local file system, monitor or close programs, set up scheduled tasks, but also important for the novice hacker it can automate repetitive operations inside third-party software packages. Added to that obvious advantage for the novice, AHK scripting language uses a simple syntax that even non-technical users can understand.
Based on the languages ease of use, ease of understanding, and the ability to automate repetitive operations AHK historically has been used by gamers to create aimbots, an auto-aim cheating tool used in first-person shooters. While being abused by gamers to try and get an edge a few have been at work subverting the language for hacking purposes. Researchers believe this may be the start of a new trend in malware development. This would certainly be the case when considering the recently published reports by Ixia and Cybereason.
In the Ixia report their cyber research team notes the escalation in detections of AHK malware samples distributing cryptocurrency miners and a clipboard hijacker towards the end of February. One of the more cunning pieces of malware is based on a clipbanker detected in the wild. The clipbanker works by staying resident in memory and listens for any activity in your clipboard. When it contains anything resembling a crypto wallet, it replaces the content with its own wallet address, thus tricking you into sending funds to the hacker’s wallet instead. Perhaps more in line with AHK’s historical use by those looking to cheat researchers also discovered a script targeting the Steam trading platform. The Steam trading platform is quite robust and may conduct millions of transactions per day. While technically it is not possible to cash out on your transactions, a lot of black markets are available for the intrepid trader who wants sell their inventory. Using a very similar method to the clipbanker mentioned above hackers are able to scam those looking to sell items from their inventory.
In the Cybereason report, their security research team discovered a keylogger written in AHK which masquerades as Kaspersky Antivirus. The team has dubbed the malware Fauxpersky. Once the malware is executed the malware gathers a list of drives on the machine and starts replicating itself to them, which allows it to spread to any of the connected external drives. Added to that the keylogger renames the external drives to match its naming scheme. Specifically, the drive’s new name would include its original name, its size, and the string “(Secured by Kaspersky Internet Security 2017)”.The malware also creates an autorun.inf file to point to a batch script. In order to exfiltrate the stolen data, the malware uses Google forms. This enables the attackers to circumvent the need for a Command and Control server. In the report, the researchers concluded:
“This malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox,”
AHK Malware May be a Trend but Python and PowerShell still Superior
While it would appear that this new trend is here to stay, Dr. Vesselin Bontchev, a security researcher with decades of experience in the malware community doesn't believe AutoHotKey will become more widespread than AutoIt. AutoIt has been the go-to language when it comes to novice hacker level malware, often referred to as skid-level malware. He believes that modern scripting languages like Python or PowerShell are probably more powerful even if user interaction is harder to simulate. Despite that other languages may be more powerful than AHK, unlike AutoIt AHK is open source. This means that if the AHK interpreter becomes too notorious and starts getting more hits on the AV radar, hackers can build their own version pretty easily and have a brand new platform to assist in their malware development. Researchers within the community believe that there is a lot of untapped potentials when using AHK in the creation of keyloggers.
Passing trend or not, AHK is been used by novice hackers, or skids to use their jargon, to create pieces of malware. As a learning tool, it is something researchers need to look at, analyze, and understand. It would be too easy to write off this development as nothing serious but with the research that has been done in the reports above the malware created on this platform can ruin someone’s day even if that person is looking to exploit a black market Steam marketplace.
Since AutoHotkey is a new player in the malware landscape, there aren't many tools to aid developers in analyzing samples. The Cybereason team released a free tool called ahk-dumper that may help some malware researchers during their work.