In Figure 1, WinddowsUpdater.exe is the legitimate AutoIt interpreter that was simply renamed by the miscreant to hide the executable’s true identity. Here is an example of one such malicious sample: Figure 1: AutoIt Interpreter and compiled script sample With the compiled script, the malicious payload will be presented as at least two files: one being the compiled script and the other being a legitimate AutoIt Interpreter. One of the first things that you’ll need to understand is that AutoIt provides its users with two different compile options: either a compiled script or a standalone executable. I will, however, attempt to provide you with a starting point by showing you how to get from a compiled AutoIt binary to a plain-text script. Unfortunately, there are way too many different ways that malware authors have leveraged AutoIt for me to write a one-analysis-fits-all post. In this post, I will not be going into end-to-end analysis of any one sample. As a matter of fact, AutoIt is so closely associated with malware, that AutoIT’s website has a wiki article that “addresses” the fact that the legitimate AutoIt binary is often detected as malicious by AntiVirus. AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware.
