Mekotio is a Latin American banking trojan that is targeted at users mainly in Brazil, Mexico, Spain, Chile, Peru, and Portugal. This is persistent malware that is distributed via phishing emails and ensures persistence either by creating an LNK file in the startup folder or using a Run key. The malware has been used in phishing emails targeting Spanish users. Mekotio banking trojan has been discovered leveraging AutoHotKey (AHK) and AHK compiler to evade detection.
The latest attack campaigns of the Trojan are focused on customers of banks in Latin America and Europe (France, Portugal, and Spain). It uses two separate emails as initial attack vectors, one One is a request to download a password-protected file and the other is a spoofed notification. In both spam emails, the malicious code is included in a .ZIP file that is downloaded to the victim’s computers.
The fraudulent emails consist of a legitimate AHK compiler executable, a malicious AHK script, and the Mekotio banking trojan itself. These files are extracted into a randomly named file saved in the local hard drive. A script then runs the AHK compiler to execute the AHK script, which loads Mekotio malware into the AHK compiler memory. The trojan will then operate from within the AHK compiler process via using a signed binary as a disguise to make detection more challenging for endpoint solutions to stay hidden. Hence experts have advised to be extremely alert while downloading files from unknown sources on the internet. In addition, always check for random new file folders created in the Windows Program Data directory.