Mekotio Banking Trojan Resurges with Tweaked Code, Stealthy Campaign

The Mekotio Latin American banking trojan is bouncing back again soon after a number of of the gang that operates it have been arrested in Spain. Much more than 100 assaults in the latest months have highlighted a new an infection plan, indicating that the group continues to actively retool.

“The new marketing campaign started proper immediately after the Spanish Civil Guard introduced the arrest of 16 individuals included with Mekotio [aka Metamorfo] distribution in July,” in accordance to Check out Level Study (CPR). “It seems that the gang driving the malware were being capable to slim the gap promptly and modify tactics to keep away from detection.”

Mekotio, like other Latin American banking trojans, steals on the net banking logins and other money qualifications from unsuspecting victims. But they are continuously evolving to avoid detection. In this situation, the freshened-up Mekotio an infection vector contains “unprecedented elements” to keep detection prices low, in accordance to the firm’s evaluation, issued Wednesday. These are:

• A stealthier batch file with at the very least two levels of obfuscation
• New fileless PowerShell script that operates specifically in memory and
• Use of Themida v3 for packing the remaining DLL payload.

“In the last three months, we noticed somewhere around 100 attacks use new, uncomplicated obfuscation strategies, with the enable of a substitution cipher, to disguise the initially module of the attack,” according to CPR. “This easy obfuscation system lets it to go undetected by most of the antivirus merchandise.”

Layers and Layers in the Malware Deployment

The assaults are multistage in all phases, and they commence with Spanish-language phishing email messages containing a .ZIP archive connection or .ZIP file attachment. The lure is a claim that the email includes a digital tax receipt pending submission.

If a user is duped into clicking on either form of .ZIP file, the aforementioned stealthy batch file executes. In change, it issues a PowerShell command to down load and run a PowerShell script in memory.

Batch File Stealth

The batch file has two levels of obfuscation and generally incorporates a file identify that commences with “Contacto,” according to CPR.

“The first layer of the obfuscation is a uncomplicated substitution cipher,” scientists discussed. “Substitution ciphers encrypt plaintext by replacing each individual image in the plaintext with the corresponding image from the lookup table.”

The next layer of obfuscation is a system that takes slices of the command code and will save them in various ecosystem variables. When these are concatenated, the PowerShell command emerges that downloads the PowerShell script.

The PowerShell Script

The PowerShell script is liable for conducting pre-an infection checks, i.e., deciding if the concentrate on is located in a sought after geography in just Latin The usa (Brazil, Chile, Mexico, Spain or Peru), and verifying that it is not jogging in a virtual device/sandbox atmosphere.

“The subsequent thing the script does is to create an vacant file, made use of as a footprint, whose identify is the existing day,” in accordance to the firm. “This lets it know if it currently ran in the method. If the file previously exists, the script stops the execution.”

Soon after that, it establishes persistence (by incorporating a new benefit to the subsequent registry essential: “HKCUSoftwareMicrosoftWindowsCurrentVersionRun”) and then it downloads a secondary .ZIP archive to the ProgramData Listing.

That secondary .ZIP archive has three files, which are extracted, renamed and saved in a new listing on the infected system. The PowerShell script checks the sizing of the extracted files to distinguish amongst the style and the goal of the data files.

The initial file is an interpreter for AutoHotkey (AHK), which is an open-supply scripting language for Windows that allows consumers build shortcuts to documents. The malware added its use of AHK to the mix past March as nonetheless yet another evasion tactic.

The PowerShell script employs the interpreter to run a 2nd file, which is an AHK script and the AHK script then runs the third file, which is the Mekotio payload (in the form of a DLL packed with Themida v3).

Themida is a legitimate application protector/encryptor that was at first produced to maintain a cyberattacker from right inspecting or modifying the code of a compiled application.

At the time unpacked, “the DLL incorporates the main Mekotio banker functionality for actions this sort of as thieving entry qualifications for electronic banking portals and a password stealer,” according to CPR investigation. “The stolen information is sent to the command-and-handle server.”

When banking trojans targeting Latin The usa are typical, they’re intriguing to analyze because they have a tendency to be modular, indicating that attackers can make small tweaks in purchase to keep off the detection radar, scientists observed.

“CPR sees a great deal of old destructive code utilised for a very long time, and still the attacks manage to keep beneath the radar of antivirus and endpoint detection and reaction (EDR) alternatives by shifting packers or obfuscation approaches these types of as a substitution cipher,” they claimed. “Our assessment of this marketing campaign highlights the attempts that attackers make to conceal their malicious intentions, bypass security filtering and trick customers.”

How to Safeguard In opposition to Banking Trojans

To secure against this form of attack, CPR presented the subsequent simple anti-social-engineering ideas:

Be suspicious of any email or conversation from a common model or business that asks you to click on on a website link or open an attached document

Beware of lookalike domains, spelling problems in e-mail or internet sites, and unfamiliar email senders

Be cautious with files been given by using email from unknown senders, primarily if they prompt for a certain motion you would not normally do

Really don’t click on advertising back links in e-mail, and as a substitute, Google the seller and click the website link from the Google benefits site

Beware of “special” offers that really don’t show up to be dependable or reputable obtain chances and

Do not reuse passwords in between diverse apps and accounts.

Test out our free upcoming are living and on-desire on the web city halls – exceptional, dynamic discussions with cybersecurity industry experts and the Threatpost neighborhood.