The sample AutoIT script is compiled into a Windows portable executable using a tool provided by the AutoIT creators. We will also look at the tools, tactics, and techniques for reverse engineering this type of AutoIT script. In this blog we will walk through the techniques used by this malware to increase the difficulty of discovering the final payload and the methods used to maintain persistence on the system. Since recovery of source code is trivial for script-to-exe programs, the authors rely heavily on string and execution flow obfuscation. The process for reversing AutoIT scripts can be more difficult since there are far fewer and less developed tools for performing the analysis. The application installs itself and runs as intended on the target system, while stealthily injecting a Remote Desktop tool known as LuminosityLink into a. One of the nefarious ways malware attempts to hide is by masquerading as a legitimate installer or application.Ī recent sample encountered by the Carbon Black Threat Research Team used a compiled AutoIT script that pretends to be an installer for Photoshop CS6 portable. Malware comes in all shapes, sizes, and languages to make defending against attacks more difficult.
