Infostealer campaign using AutoIt and Reflective .Net techniques

Alpine Security
3 min readFeb 1, 2024

01 Feb 2024 — Alpine Hunting Team

Disguised as a typical phishing email delivered with the link to download a new “invoice”, Alpine Security Threat Hunting services have carried out an analysis of various ongoing global campaigns.

Following the user’s download action, certain EDR solution monitored the binary without generating any alerts. The threat was successfully identified and neutralized through the exploitation of telemetry data within the Threat Hunting service.

The file is a 32 bits binary (~657 MB, 7-zip compressed), Visual C++ based, with an invalid Digital Signature embedded.

After execution, a legit AutoIt scripting interpreter (under the name “Rwanda.pif”) is downloaded, in order to execute a highly obfuscated script (“D”in the analyzed sample). This script is generated by the concatenation of different “chunks” of information contained in several other files, created based in several copy concatenated operations performed from the command prompt.

Analysing the obfuscated script (“D” in the image above), we observe that it also contains several anti-analysis and anti-sandboxing techniques such as the search process for process related with virtualization environments and AV solutions (such as vmtoolsd.exe, avastui.exe, etc).

The goal of the AutoIt script is to drop RegAsm.exe legit binary, used as a container in order to inject malicious .NET code using Costura Loader (a reflective loader used to obfuscate the code and confuse and hinder reverse engineering efforts) commonly used by other stealers.

Final assembly is highly obfuscated and at the moment of this report is still in analysis phase, but so far, the following IoC has been obtained: IP 91.92.254.99 located in Bulgaria (AS394711: Limenet, Neterra Ltd). This IP identifies a Windows Server system (Netbios name: WIN-ADPD7O8E49E). The socket used is 7702 (0x1E16), which is currently open and operational.

This IP seems to have been related with other malicious identified binaries, mainly stealers (i.e. purelog), reported and identified in VirusTotal in January 2024.

Based on the identified behaviour, we can see recent reported campaigns in Joe Sandbox using the same described malware modus operandi. Several other reported campaigns label the initial attached binary as “ESCAIXA_JUSTIFICANTEPAG0”, simulating a bank payment receipt required to be downloaded.

The use of AutoIt as well as RegAsm by Stealers and RAT is not something new (see, for example, NanoCore RAT). As part of the hunting strategies, we recommend monitoring the creation and execution of the AutoIt interpreter (using, for instance, its signature as a criterion). The following query corresponds to one of our rules in KQL to identify disk writes of suspicious binaries corresponding to the AutoIt interpreter that allows us to identify said threat:

DeviceFileEvents
| where Timestamp > ago (3h)
| where ActionType contains “Created” or ActionType contains “Renamed”
| where FolderPath contains “\\users\\” or FolderPath contains “\\temp\\”
| invoke FileProfile()
| where Signer contains “AutoIt”
| extend isPE=parse_json(AdditionalFields).FileType
| where isPE contains “Executable”
| where FileName !contains “AutoIt” or FileName !endswith “.exe”
| project Timestamp,DeviceName,FolderPath,SHA1

--

--