Trend Micro discovered a potential targeted attack that makes use of legitimate script engine AutoHotkey, in combination with malicious script files. This file is distributed as an email attachment and disguised as a legitimate document with the filename “Military Financing.xlsm.” The user would need to enable macro for it to open fully, which would use AutoHotkey in loading the malicious script file to avoid detection. It will then enable the threat actors to steal certain information and even download TeamViewer to gain remote access to the system.
If the user enables macro to open the xlsm file, it will then drop the legitimate script engine AutoHotkey along with a malicious script file. Once the AutoHotkey loads the malicious script file, it connects to its C&C server to download and execute additional script files in response to commands from the server. In our observation, it lastly downloaded and executed TeamViewer to gain remote control over the system. However, it can download and execute other script files depending on the command it receives from the C&C server.
Source: Trend Micro