Trend Micro researchers identified the malware via the endpoint of public sector organization as an AutoHotKey variant of the Monero-Mining RETADUP worm.
“AutoHotKey is relatively similar to the script automation utility AutoIt, from which RETADUP's earlier variants were based on and used for both cybercrime and cyberespionage,” researchers said in the April 23 blog post.
Despite the malware operator's history of deploying malware in targeted attacks, the observed sample only focused on cryptomining.
Reacher's said the RETADUP's AutoHotKey version and AutoIt variant both have similar endgames of mining Monero and both use the same techniques to propagate, evade detection, and install the malicious Monero miner.
The shift in programming languages was attributed to AutoHotKey being a novelty as a scripting language meaning that several security tools aren't actively detecting and analyzing malware written in the language.
Researchers also noted the malware polymorphic behavior makes it more difficult to detect by IT teams without the time or resources to actively seek out similar or unique threats and thwart them down the line.
The stealth techniques used by the malware underscores the importance of having insight into an organization's online perimeter from endpoints and networks to servers. The malware also highlights the need for organizations to have 24/7 monitoring and in-depth research and correlation on similar incidents to enable threat analysts to provide further insight on a case-to-case basis.
This will help catch attacks like RETADUP and help determine is threats are one-off, part of a coordinated, targeted attack, or part of an opportunistic cybercriminal campaign.