AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
ID: S0129
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
AutoIt backdoor has sent a C2 response that was base64-encoded.[1] |
| Enterprise | T1083 | 文件和目录发现 |
AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.[1] |
|
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.[1] |