AUTOIT SCRIPTING USED BY OVERLAY MALWARE TO BYPASS AV DETECTION

he IBM X-Force Research team has reported that hackers attacking Brazilian banks are using Windows Scripting Tool, which enables a remote access trojan (RAT) called AutoIm to hijack browser-based banking sessions. has gone.

Using auty, researchers said, reduces the possibility of detecting anti-virus. Attackers are often able to compile the malicious code by playing an ottote script and pressing AV to act as a legitimate auto complete framework process.

A freeware management tool is automated to automate system management processes through autot scripts.

• X-Force researcher Ostrovsky and Limore Kesem told a co-writer of a report on RAT Wednesday, which prevented the investigation of static AV after identifying the hash signature of malware using autokit.
• 
  
• Once deployed, the RAT host's browser window is waiting for the title bar, which is waiting for the bank's names, if detected, a full screen image or webpage blocks the victim of the webpage's real-web page. After this, According to researchers, RAT "takes control of the endpoint of the victim and it can already be certified, banking session".
• 
  
• "The researchers said that" the malware operator starts remotely initiating a fraudulent transaction from the end of the victim and can prompt the user to provide additional detail using the fake overlay screen, "the researchers said.
• 
  
• Researchers of X-Force say that Brazil has become a hot spot for financial malware, and overlay malware has been used in recent usage, reflecting the trend of more sophisticated malicious codes in this area.
• 
  
• "In the past year, we have seen the rise of malware, such as Client Maximus and similar code, which uses remote access with overlay screens for operating bank fraud in Brazil. According to X-Force recently, a Remote access trojan (RAT) malware has been detected which uses the same overall technique, but with an extra turn for its antivirus theft method "
• 
  
• RAT does not have a name and its code is written in Delphi, it is a programming language that is common in targeting Brazil. "In Brazil these Delphi-based codes are attacking, so many codes can be used again, that malware is aware of the Troy Trojan World (Zeus, Ursnife, Dredaks, etc.) as is not in the" family "." In an interview with Kassam Threatpost
• 
  
• One way to get auto out of Ever is leveraged by terrorists. Cisco Talas noted in 2015 that a group of hackers designed to maintain persistence on the target system by mimicking the general system administration activity with phishing attacks. The tool used to install RAT.
• 
  
• In 2013, researchers have developed the software to use autohit as a scripting language and examples of key loggers and builders of RAT, which have been developed with ototite and uploaded to share sites such as text repository and pastebins Have been done.
• 
  
• In Brazil, researchers from X-Force said the overlay malware is a preferred way of attacking banks, "unless they continue their service in such attacks, the threat artists are unlikely to see the need to change;" Researchers wrote.