Opening the DarkGate: Exploring the Destructive Potential of AutoIT and Possible Mitigations

Presented at CactusCon 12 (2024), Feb. 17, 2024, 2:30 p.m. (60 minutes).

In analyzing DarkGate malware, one thing that has stood out as interesting, has been the use of AutoIt as a delivery mechanism. AutoIt is a free BASIC-like scripting platform, intended for use as a remote administration, software deployment, or automation tool. However, using the AutoIt interpreter and .au3 scripts, also provides a covert platform to inject shellcode, execute malware, or carry out other dirty deeds. Since AutoIt has a valid certificate, it more likely to be trusted by antivirus engines, making this a valid evasion tactic. In this talk we will examine DarkGate malware, building upon the excellent research already done by 0xToxin, expanding in the direction of malicious applications of AutoIt and similar tools for malware delivery, recon, and lateral movement. A series of options will be explored and analyzed from the perspective of evasiveness / detectability. Finally, we will walk through strategies to protect against attacks using AutoIt specifically, as well as general principles that should help with other tools that are sure to be put to similar use with possibly devastating effects.

Presenters:

• CroodSolutions - Mike Manrod, CISO, GCE
  Mike presently serves as the Chief Information Security Officer for Grand Canyon Education, responsible for leading the security team and formulating the vision and strategy for protecting students, staff and information assets across the enterprise. Previous experiences include serving as a threat prevention engineer for Check Point and working as a consultant and analyst for other organizations. He is also a co-author/contributor for the joint book project, Understanding New Security Threats published by Routledge in 2019, along with multiple articles/whitepapers. When not working, he spends time playing video games with his kids or doing projects around the farm.
• Ezra Woods - Information Security Analyst, AZDES
  Recent cybersecurity graduate from Grand Canyon University, working as an Information Security Analyst for Arizona's Department of Economic Security. Captain of GCU's collegiate cyber defense team, and Team Lead for ACTRA's Threat Intelligence Support Unit (TISU)

Links:

• https://cactuscon-12.sessionize.com/session/546559

Similar Presentations:

• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• DerbyCon 3.0 All in the Family (2013) / The Malware Management Framework, a process you can use to find advanced malware. We found WinNTI with it!
• DEF CON 32 (2024) / BypassIT - Using AutoIT & Similar Tools for Covert Payload Delivery Demo