Mekotio banking trojan has been discovered leveraging AutoHotKey (AHK) and AHK compiler to evade detection. According to the Cofense PDC, this malware has been used in phishing emails targeting Spanish users.
What has happened?
The latest attack campaigns are focused on customers of banks in Latin America and Europe (France, Portugal, and Spain).
- The banking trojan targets Spanish-language users using two separate emails as an initial infection vector. One is a request to download a password-protected file and the other is a spoofed notification.
- In both spam emails, the malicious code is included in a .ZIP file that is downloaded to the victim’s computers.
Tactics, Techniques, and Procedures
The malicious emails have three files: a legitimate AHK compiler executable, a malicious AHK script, and the Mekotio banking trojan itself.
- These files are unpacked into a randomly named file saved in the local hard drive. A script then runs the AHK compiler to execute the AHK script, which loads Mekotio malware into the AHK compiler memory.
- The trojan will then operate from within the AHK compiler process via using a signed binary as a disguise to make detection more challenging for endpoint solutions to stay hidden.
- For persistence, it copies all three files in a new folder and uses a run key to start the execution chain, every single time the system reboots, by executing the renamed copy of the AHK compiler.
Mekotio has several additional capabilities, including:
- Monitoring the browser activity of targeted banks
- Presenting the user with a fake version of the webpage
- Monitoring Bitcoin addresses copied by users and replacing the value in the clipboard with the one belonging to the attackers
A major takeaway from these recent attack campaigns is that legitimate binaries can be used for malicious activity. Thus, experts recommend staying alert while downloading files from unknown sources on the internet. In addition, always check for random new file folders created in the Windows Program Data directory.