The script “contained the actual functionality
Hopefully that means that analysts will now be able to incorporate this valuable information and make all applications more secure.
File this under “it was bound to happen one day”: Cisco has spotted a targeted phishing attack based on a popular sysadmin automation tool. If someone in the “IT crowd” bunker falls for the phishing attack, Cisco's Talos Group says the payload exploits AutoIT, a scripting admin environment for Windows. Talos explains what's …
Documents should not have macros. If you need anything fancy then it should be like MailMerge for WordStar with placeholders and executed separately.
If there weren't macros end embedded crap in documents (Word, PDF, etc) we'd have considerably smaller attack surface.
It seems to me it would be simpler to report this as "malware (or RAT) written in AutoIt.", since they ran it as an interpreter, I guess technically accurate to say the malware used AutoIt... but it's not like they tricked or hacked it. They simply wrote a nasty program in that language and used it normally.
The most annoying thing about all this is it can easily result in useful harmless programs getting flagged as viruses. This has happened before.
Biting the hand that feeds IT © 1998–2021