Yet another banking Trojan has been discovered. This one leverages AutoHotKey (AHK) and AHK compiler to evade detection. According to researchers, the Mekotio banking Trojan has been used in phishing emails targeting Spanish users.
What Transpired?
Customers of banks in Latin America and Europe (France, Portugal, and Spain) have been the focus of the latest attack campaign.
- As an initial infection vector, the banking trojan targets Spanish-language users using two separate emails. While one is a request to download a password-protected file and the other is a spoofed notification.
- The malicious code is included in a .ZIP file that is downloaded to the victim’s computers from both the spam mails.
Understanding Tactics, Techniques, and Procedures
The malicious emails consist of three large files – a legitimate AHK compiler executable, a malicious AHK script, and the Mekotio banking trojan itself.
- Saved in the local hard drive, these files are unpacked into a randomly named file. To execute the AHK script, which loads Mekotio malware into the AHK compiler memory, a script runs the AHK compiler.
- By using a signed binary as a disguise to make detection more challenging for endpoint solutions to stay hidden, the Trojan then operates from the AHK compiler process.
- Tenaciously, the Trojan copies all three files in a new folder and uses a run key to start the execution chain, every single time the system reboots, by executing the renamed copy of the AHK compiler.
The Mekotio Trojan has several additional capabilities including the following –
- Monitoring the browser activity of the banks and financial institutions.
- Presenting a fake version of the webpage to the potential victim
- Monitoring Bitcoin addresses copied by users and replacing the value in the clipboard with the one belonging to the attackers
A major lesson from these attack campaigns is that legitimate binaries can be used for malicious activity. Consequently, our internal experts suggest staying alert while downloading files from unknown sources on the internet while additionally, checking for random new file folders being created in the Windows Program Data directory.
To read more, please check eScan Blog
