AutoHotKey Leveraged by Metamorfo/Mekotio Banking Trojan
By Elmer Hernandez, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) has observed banking Trojans abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information. In this post we take a brief look at the case of Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe.
Figures 1 and 2 are two example emails sent as the campaign’s first step, both targeting Spanish users. Figure 2 is a simple request to download a password-protected file and is devoid of context. While Figure 1 is a more elaborate spoofed notification about pending legal documents, with a link that downloads a ZIP file.
Figure 1 – Email 1
Figure 2 – Email 2
Delivery: Malicious MSI and Finger Commands
The PDC encountered two main mechanisms delivering the payload. In the first instance there is a ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second ZIP file (Figure 3).
Figure 3 – Payload Domain
Figure 4 – Custom Actions Table