Jump to content

Search the Community

Showing results for tags 'autohotkey'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 3 results

  1. AutoHotkey-Based Credential Stealer Targets US, Canadian Bank Customers Trend Micro team has detected a malware’s command-and-control (C&C) servers that has been targeting the financial institutions in the US and Canada and determined that these come from the US, the Netherlands, and Sweden. It is believed that they have been using the scripting language AutoHotkey (AHK) What is AutoHotkey (AHK)? AHK is an open-source scripting language for Windows that aims to provide easy keyboard shortcuts or hotkeys, fast micro-creation, and software automation. AHK also allows users to create a “compiled” .EXE with their code in it. Threat actors have used this scripting language that has no built-in compiler within a victim’s operating system, and which can’t be executed without its compiler or interpreter. How does the malware work? The two critical roles in the infection are The dropped adb.exe: The adb.exe is a legitimate portable AHK script compiler, and its job is to compile and execute the AHK script at a given path. adb.ahk: AHK script is a downloader client that is responsible for achieving persistence, profiling victims, and downloading and executing the AHK script on a victim system The downloader client also creates an autorun link for adb.exe in the startup folder. This portable executable executes an AHK script with the same name in the same directory which is called as adb.ahk. Then this script calls each user by generating a unique ID for each victim based on the volume serial number of the C drive. The malware then goes through an infinite loop and starts to send an HTTP GET request every five seconds with the generated ID. This ID serves as the request path to its command-and-control (C&C) server to retrieve and execute the AHK script on an infected system. For command execution, the malware accepts various AHK scripts for different tasks per victim and executes these using the same C&C URL. There are five C&C servers and two commands discovered here: deletecookies and passwords. Through the downloads a stealer is written in AHK which is responsible for harvesting credentials from various browsers and exfiltrating them to the attacker, which majorly targets Bank website addresses. To precise the working, this malware infection consists of multiple stages that start with a malicious Excel file. If the user enables the macros to open the Excel file, VBA AutoOpen macro will then drop and execute the downloader client script via a legitimate portable AHK script compiler. The downloader client is responsible for achieving persistence, profiling victims, and downloading and executing AHK script in a victim system. Instead of receiving commands from the C&C server, the malware downloads and executes the AHK script for different tasks. The downloaded script is a stealer that targets various browsers such as Google Chrome, Opera, Edge, and more. The stealer collects and decrypts credentials from browsers and exfiltrates the information to the attacker’s server via an HTTP POST request. Effects of malware attack The main purpose of this malware is to steal credentials from various browsers such as Microsoft Edge, Google Chrome, Opera, Firefox, and Internet Explorer (IE). Source: AutoHotkey-Based Credential Stealer Targets US, Canadian Bank Customers
  2. blueorchid

    FastKeys v4.23

    FastKeys v4.23 (more screenshots: https://www.fastkeysautomation.com/screenshots.html) About FastKeys: FastKeys is an easy-to-use Windows automation tool and Text Expander. It allows you to build your own text abbreviations, start menus, shortcuts and commands to run files, open web-pages, send macros or automate anything. It is incredibly powerful yet simple to use. Key Features: Powerful strings abbreviations in Text Expander to save you hours of typing. Type out a couple of letters, and the program replaces it with a whole word or paragraph or even simulates key presses. Great productivity tool. Personalized Start Menu. Use Start Menu to start any activity on you computer. Just touch the screen edge to call the menu - it is always there and is fully adaptable to your needs. Keyboard or mouse Shortcuts to do just about anything with a keystroke. Run programs, open files and folders, open sites or use powerful scripts to automate Windows desktop and applications. Intelligent Auto Complete word and phrase prediction utility with learning capability. Many language databases are already included. Great time saver. It can also be used as versatile launcher. Simple and amazing Mouse Gestures lets you perform common tasks or execute complex actions. Just hold down a mouse button (usually a right one) and move the mouse. Changelog v4.23: Space added as a selection key, Start Menu improvements, New settings in Enterprise Edition, Updated translations, Small improvements and bug fixes. (Version history) Links: Homepage: https://www.fastkeysautomation.com/index.html Download: https://www.fastkeysautomation.com/download/FastKeys_Setup.exe Portable: https://www.fastkeysautomation.com/download/FastKeys_Setup_Portable.exe Keygen (Fastkeys 3.0x Keygen Team SnD): Site: https://www.upload.ee Sharecode: /files/9585842/FK_3_KG.7z.html Password: Comments: The medicine still works for this version. If you like this piece of software, show the devs some support any buy it.
  3. Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection A legitimate binary for creating shortcut keys in Windows is being used to help the malware sneak past defenses, in a rash of new campaigns. The Metamorfo banking trojan is abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information, researchers have warned. AHK is a scripting language for Windows originally developed to create keyboard shortcuts (i.e., hot keys). According to the Cofense Phishing Defense Center (PDC), the malware (a.k.a. Mekotio) is targeting Spanish-language users using two separate emails as an initial infection vector. One is a purported request to download a password-protected file; and the other is an elaborate spoofed notification about pending legal documents, with a link that downloads a .ZIP file. Metamorfo Abusing AHK In both cases, the malicious code is contained in a .ZIP file that’s ultimately downloaded to victim computers. It contains three files: the legitimate AHK compiler executable (.EXE), a malicious AHK script (.AHK) and the banking trojan itself (.DLL). These are unpacked into a randomly named file housed in C:\\ProgramData. A script will then run the AHK compiler, the AHK compiler will execute the AHK script, and the AHK script will finally load Metamorfo into the AHK compiler memory. “[Metamorfo] will then operate from within the AHK compiler process, using the signed binary as a front to make detection more difficult for endpoint solutions,” researchers explained, in a posting on Thursday. For persistence, copies of all three files are also placed in a new folder. “It will then use a run key to initiate the execution chain every time the system restarts by executing the renamed copy of the AHK compiler,” according to the report. Metamorfo Resurgence in LatAm, Europe Metamorfo started life as a Latin American banking trojan, first discovered in April 2018, in various campaigns that share key commonalities (like the use of “spray-and-pray” spam tactics). Its campaigns however have small, “morphing” differences — which is the meaning behind its name. A variant that emerged in February 2020, for instance, kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger. That trick is also present in the latest attacks, according to the PDC, with cybercrooks targeting customers of banks in Latin America and Europe (including France, Portugal and Spain). Metamorfo monitors browser activity looking for targeted banks, which are listed in the form of strings in the AHK compiler process memory, researchers explained. When a victim opens one of the targeted banking pages, Metamorfo overlays it with a fake version of the webpage designed to harvest credentials. “[Metamorfo] disables specific registry browser values associated with password and form suggestions and autocompletion,” researchers said. “This forces the user to type in sensitive information, even if they have it saved in their browser history, allowing the malware to capture credentials with its keylogging capabilities.” This version of the trojan can also monitor Bitcoin addresses copied to a clipboard and replace them with one belonging to the attackers. “As of this writing, this specific attacker address had a balance of 0.01957271 BTC, approximately $800,” researchers said. Metamorfo’s Banking Trojan Infection Routine The PDC encountered two main mechanisms for delivering the payload in these campaigns. In the first instance, there is a .ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second .ZIP file; and in the second scenario the original .ZIP file drops a shortcut file containing a malicious Finger command. Finger.exe is a native Windows command that allows the retrieval of information about a remote user. “The Custom Actions table of these MSI files enables the incorporation of custom code to the installation package and is often abused by attackers,” said the researchers. “[The table] shows an action titled ‘dqidwlCTIewiuap’ containing obfuscated JavaScript. The JavaScript is responsible for downloading the correct version of the .ZIP file from the payload site, unzipping its contents, renaming and placing it into a new randomly named folder.” In the second instance, a command is used to contact a server, which displays the contents of a hosted file in a command shell. The file in question is a PowerShell script that will run in this shell. “The script carries out similar actions to the MSI: it downloads a ZIP file, renames it, copies it to a newly created folder and unzips it there,” researchers explained. “The PDC also saw both tactics combined in at least one case, by incorporating the malicious Finger command directly into the MSI Custom Actions table.” Users can protect themselves by being wary of what files they download and also by checking their machines for random new file folders in the Windows Program Data directory. “The main takeaway is that legitimate binaries can be leveraged as a façade for malicious activity,” researchers concluded. “Vigilance is key. If a file or process is not meant to be there, it’s best to check.” Source: Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection
  • Create New...