AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. ^[1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

ID: S0129

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1548	.002	Abuse Elevation Control Mechanism: Bypass User Account Control	AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	AutoIt backdoor has sent a C2 response that was base64-encoded.^[1]
Enterprise	T1083		File and Directory Discovery	AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.^[1]

Groups That Use This Software

ID	Name	References
G0064	APT33	^[2]
G0040	Patchwork	^[1]

References

Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.

AutoIt backdoor

Enterprise Layer

Techniques Used

Groups That Use This Software

References