The Cofense Phishing Defense Center (PDC) has observed banking Trojans abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information. In this post we take a brief look at the case of Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe.
Phishing Email
Figures 1 and 2 are two example emails sent as the campaign’s first step, both targeting Spanish users. Figure 2 is a simple request to download a password-protected file and is devoid of context. While Figure 1 is a more elaborate spoofed notification about pending legal documents, with a link that downloads a ZIP file.
Figure 1 – Email 1
Figure 2 – Email 2
Delivery: Malicious MSI and Finger Commands
The PDC encountered two main mechanisms delivering the payload. In the first instance there is a ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second ZIP file (Figure 3).
Figure 3 – Payload Domain
The Custom Actions table of these MSI files confirms the malicious intent. This table enables the incorporation of custom code to the installation package and is often abused by attackers. Figure 4 shows an action titled “dqidwlCTIewiuap” containing obfuscated JavaScript. The JavaScript is responsible for downloading the correct version of the ZIP file from the payload site, unzipping its contents, renaming and placing it into a new randomly named folder.
Figure 4 – Custom Actions Table