Vertexnet Botnet Hides Behind AutoIt

Recently we found some new malware samples using AutoIt to hide themselves. On further analysis we found that those sample belong to the Vertexnet botnet. They use multiple layers of obfuscation; once decoded, they connect to a control server to accept commands and transfer stolen data.

This sample is packed using a custom packer. On execution it drops three files in the %TEMP% folder.

vertex1

 

These files are compiled using aut2exe. The malware next executes the file botnet.exe from the temp folder. This file is written in AutoIt. We can easily decompile it using Exe2Aut.

Vertex2

 

This file uses various obfuscated variables that are encrypted using a simple algorithm:

vertex3

 

Decoding the variables, we can see that this script calls various Windows APIs using the Autoit DLL functions DllStructCreate, DllStructGetPtr, DllCall, etc.

vertex12

 

Searching Google, we easily found the original code likely to be used in the preceding script with obfuscation:  http://www.autoitscript.com/forum/topic/99412-run-binary/

(The preceding post containing information on how to run an executable from memory is old. It was made  around 2009 on autoitscript.com.)

The technique of running an executable from memory through an AutoIt script is well documented on this link. To summarize, it first creates a process with with the CREATE_SUSPENDED flag:

vertex4

 

Next it uses GetThreadContext to get the CONTEXT structure:

vertex5

 

Subsequently, it uses WriteProcessMemory,SetThreadContext and allocates memory for the data.

vertex6

 

Then it resumes the thread:

vertex7

 

After dumping the data in WriteProcessMemory calls, we get a Visual Basic file, which uses the RunPE method to execute the payload:

vertex8

 

The final payload is VertexNet 1.2 , which we discovered from the strings it contains:

vertex10
On executing the final payload, it communicates with the control server:

vertex11

 

We see an constant increase in AutoIt malware because of its ease of use. We have found that malware authors always use ready-made tools and quickly adapt to new tricks.

McAfee customers are protected against this threat by IPS signature: BOT: VertexNet Bot Activity Detected.

I would like to thank my colleague Arunpreet Singh for his help with the analysis of this threat.