MalAgent.AutoITBot: The New Gmail Malware Stealing Your Data

Security researchers from SonicWall recently uncovered a new strain of malware targeting Gmail accounts. The malicious program, named MalAgent.AutoITBot, is distributed as an executable file under the name “File.exe” and employs a variety of tactics to compromise user data, including clipboard data interception, keylogging, and potential control over input devices.

Upon execution, MalAgent.AutoITBot attempts to open the Gmail login page using popular browsers like Microsoft Edge, Google Chrome, and Mozilla Firefox. However, the capabilities of this malware extend far beyond mere access to email accounts.

The primary objective of this bot is data theft and system manipulation. It can record keystrokes, read clipboard contents, and even control keyboard and mouse inputs. These capabilities enable the malware to gather sensitive information, such as usernames, passwords, and other critical data.

Moreover, MalAgent.AutoITBot can reboot or shut down the infected device, initiate processes on behalf of other users, and block user input when debugging tools are detected. This anti-analysis feature complicates the study of the malware and the development of countermeasures, making it a significant challenge for cybersecurity professionals.

An analysis conducted by SonicWall’s team revealed that the file was heavily obfuscated and used multiple network libraries with obscure identifiers. This complexity hinders understanding the precise actions and intentions of the malware.

Upon extracting the script, researchers found commands that directed browsers to the Gmail login pages via “accounts.google.com.” However, the malware doesn’t stop there; it also includes links to popular social media login pages. This approach suggests that the bot is designed to steal credentials from a wide range of online services, not just Gmail.

Particularly concerning is MalAgent.AutoITBot’s ability to run multiple processes covertly. For example, when launching Firefox, the malware simultaneously creates a hidden page while attempting to establish a network connection. This stealthy behavior allows the virus to operate undetected, complicating its detection and neutralization by both users and traditional antivirus solutions.

Given these capabilities, MalAgent.AutoITBot poses a severe threat to both individual users and organizations. Its ability to steal credentials and manipulate system functions underscores the importance of exercising caution when handling files of unknown origin.