AHK RAT Loader

Details about an ongoing attack campaign that drops RAT payloads onto compromised systems ultimately have been released by security researchers. According to their findings, the threat actor is using a unique AutoHotKey (AHK) compiled script as an initial stage loader. The malware threat is dropped as a standalone executable file that contains an AHK interpreter, AHK script, and additional files incorporated through the FIleInstall command. The AHK scripting language represents a branch of the AutoIt language, which is often used for automating routine tasks and simulating user interaction. To mask their threatening tools, the threat actor also drops a legitimate application to the infected machine. 

The AHK RAT Loader campaign has evolved rapidly in the months since it was launched with multiple distinct attack chains, each becoming sophisticated increasingly and attaining new functionalities. The final RAT payloads also have shown a great degree of variety with the hackers deploying the VjW0rm and the Houdini RAT initially, then switching to the njRAT, the LimeRAT, and the RevengeRAT. An attack chain that uses the AHK RAT Loader but exhibits certain deviations from the rest of the operations in this campaign delivered the AsyncRAT as its final payload. 

General Characteristics of the AHK RAT Loader

The first action taken by the AHK script is to drop a legitimate application into the %appdata% directory on the victim's machine. It then proceeds to deliver two files into the %programdata% directory - a launcher named 'conhost.exe' and a manifest file that must go alongside it. The conhost.exe file is a legitimate application but it is exploited to run a corrupted manifest file through a path hijack. Then a VBSSCript will establish and initiate the final RAT payload eventually. 

Subsequent attack chains started to include more techniques against AV solutions. A Batch script and an LNK file pointing to it were introduced in an attempt to disable Microsoft Defender. Furthermore, through a new VBScript, the threat actor tries to block communications for popular anti-malware products by tampering with the victim’s HOSTS file. An additional AHK executable was tasked with further masking the RAT payload. 

The observed modifications and the introduction of new techniques show the lasting efforts of the threat actor behind the AHK RAT Loader to avoid detection by passive security controls.