AutoHotKey used by Mekotio Trojan to Avoid Detection

Image for AutoHotKey used by Mekotio Trojan to Avoid Detection

Mekotio is a Latin American banking trojan that is targeted at users mainly in Brazil, Mexico, Spain, Chile, Peru, and Portugal. This is persistent malware that is distributed via phishing emails and ensures persistence either by creating an LNK file in the startup folder or using a Run key. The malware has been used in phishing emails targeting Spanish users. Mekotio banking trojan has been discovered leveraging AutoHotKey (AHK) and AHK compiler to evade detection. 

The latest attack campaigns of the Trojan are focused on customers of banks in Latin America and Europe (France, Portugal, and Spain). It uses two separate emails as initial attack vectors, one One is a request to download a password-protected file and the other is a spoofed notification. In both spam emails, the malicious code is included in a .ZIP file that is downloaded to the victim’s computers.

The fraudulent emails consist of a legitimate AHK compiler executable, a malicious AHK script, and the Mekotio banking trojan itself. These files are extracted into a randomly named file saved in the local hard drive. A script then runs the AHK compiler to execute the AHK script, which loads Mekotio malware into the AHK compiler memory. The trojan will then operate from within the AHK compiler process via using a signed binary as a disguise to make detection more challenging for endpoint solutions to stay hidden. Hence experts have advised to be extremely alert while downloading files from unknown sources on the internet. In addition, always check for random new file folders created in the Windows Program Data directory.

 

Link: https://cyware.com/news/mekotio-tojan-is-using-autohotkey-to-avoid-detection-d9d237d4

By Hrithik Lall

IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!