Last year, my colleague Itai Liba blogged about the association between malware and AutoIt, a very convenient environment for malware and tools development. AutoIt allows both easy interface creation for rapid development and full Windows API access for whatever is not directly supported. We have seen an increase in the use of AutoIt scripts by malware authors and other bad guys to achieve their malicious ends.

Recently, we have seen AutoIt-compiled programs that drop malicious Bitcoin mining programs. The malware authors are using not only encrypted code but are also focusing on antianalysis code to bypass common analysis tools/systems used by security researchers. We have come across such multiple malicious tools on public forums that offer free premium accounts to online hosting services. Interestingly, if you run one of these malicious programs under VMware, the malware won’t run and throws up an error message that looks genuine.

Looking at the preceding message, most of us will think that the program has problem with its Internet connection or firewall and few may think to examine this further. But this malicious program can detect VMware, Sandboxie, and other spy programs, and deliberately displays this error to avoid analysis by researchers. Let’s find the cause of this error. Searching strings in the main program tells us that the program has been compiled using AutoIt.

Decompiling the program using Exe2Aut gives us the full original script code along with the embedded encrypted file 1.crypt. The decompiled code has about 2, 000 lines; most of the code is from the AutoIt wrapper for WinHTTP functions called WinHTTP.au3. Here is snippet of exact code:

This code is not used at all. It’s here just to divert the attentions of researchers from looking into the main code. Here is the start-up code of this script:

The preceding code displays splash screen and finds required paths by detecting the operating system. The code then checks for the Sandboxie process SbieCtrl.exe and if that process is detected exits by displaying a similar error message as seen earlier. The script then calls the function _checkforspy(). The program doesn’t run any GUI offering free premium accounts and throws up a similar error message even if it runs on a clean system. Here is how the _checkforspy() code looks:

Source: blogs.mcafee.com