Skip to content

S0129 AutoIt backdoor

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. 1 This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

Item Value
ID S0129
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding AutoIt backdoor has sent a C2 response that was base64-encoded.1
enterprise T1083 File and Directory Discovery AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.1

Groups That Use This Software

ID Name References
G0040 Patchwork 1
G0064 APT33 2

References

  1. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  2. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.