A legitimate binary for creating shortcut keys in Windows is being used to help the malware sneak past defenses, in a rash of new campaigns.
The Cofense Phishing Defense Center (PDC) has observed banking Trojans abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information.
Researchers say Mekotio also known as Metamorfo, a banking Trojan with Latin American origins that is currently expanding its reach to victims across Europe.
Phishing Email
The two examples of emails sent as the campaign’s first step, both targeting Spanish users. First Email (Figure 1) is a more elaborate spoofed notification about pending legal documents, with a link that downloads a ZIP file. While second is a simple request to download a password-protected file and is devoid of context.
Figure 1: E-mail 1
Figure 2: Email 2
The researchers observed two main mechanisms delivering the payload. In the first instance, there is a ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second ZIP file. The Custom Actions table of these MSI files confirms the malicious intent. This table enables the incorporation of custom code to the installation package and is often abused by attackers.
An action in the table containing obfuscated JavaScript. The JavaScript is responsible for downloading the correct version of the ZIP file from the payload site, unzipping its contents, renaming and placing it into a new randomly named folder.
In the second scenario, the original ZIP file drops an LNK or shortcut file containing a malicious Finger command. Finger.exe is a native Windows command that allows the retrieval of information about a remote user. The command is used to contact a server, which displays the contents of a hosted file in a command shell. The file is a PowerShell script that will run in this shell.
AHK is a scripting language for Windows originally developed to create keyboard shortcuts. The MSI or PowerShell script will run the AHK compiler, the AHK compiler will execute the AHK script and the AHK script will load Mekotio into the AHK compiler memory.
Mekotio will then operate from within the AHK compiler process, using the signed binary as a front to make detection more difficult for endpoint solutions. Mekotio monitors browser activity looking for targeted banks. Once it identifies a target, Mekotio is known to present the user with a fake version of the webpage. It disables specific registry browser values associated with password and form suggestions and autocompletion.
The Trojan can also monitor Bitcoin addresses copied to the clipboard and replace them with one belonging to the attackers.
The most important outcome is that legitimate binaries can be leveraged as a facade for malicious activity. Vigilance is key. If a file or process is not meant to be there, it’s best to check.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
