Cofense Email Security

AutoHotKey Leveraged by Metamorfo/Mekotio Banking Trojan

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed banking Trojans abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information. In this post we take a brief look at the case of Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe.

Phishing Email

Figures 1 and 2 are two example emails sent as the campaign’s first step, both targeting Spanish users. Figure 2 is a simple request to download a password-protected file and is devoid of context. While Figure 1 is a more elaborate spoofed notification about pending legal documents, with a link that downloads a ZIP file.

Figure 1 – Email 1

Figure 2 – Email 2

Delivery: Malicious MSI and Finger Commands

The PDC encountered two main mechanisms delivering the payload. In the first instance there is a ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second ZIP file (Figure 3).

Graphical user interface, application Description automatically generated

Figure 3 – Payload Domain

The Custom Actions table of these MSI files confirms the malicious intent. This table enables the incorporation of custom code to the installation package and is often abused by attackers. Figure 4 shows an action titled “dqidwlCTIewiuap” containing obfuscated JavaScript. The JavaScript is responsible for downloading the correct version of the ZIP file from the payload site, unzipping its contents, renaming and placing it into a new randomly named folder.

Table Description automatically generated with low confidence

 

Figure 4 – Custom Actions Table

A picture containing text, newspaper, screenshot Description automatically generated

Figure 5 – Obfuscated JavaScript

In the second scenario the original ZIP file drops an LNK or shortcut file containing a malicious Finger command. Finger.exe is a native Windows command that allows the retrieval of information about a remote user.

Figure 6 shows the malicious Finger query. The command contacts a server at 89[.]44[.]9[.]254 and displays the contents of a hosted file in a command shell. The file in question is a PowerShell script that will run in this shell.

Figure 6 – Finger Command

Figures 7 and 8 show the TCP stream with the Finger server and the PowerShell script sent by it. The script carries out similar actions to the MSI: it downloads a ZIP file, renames it, copies it to a newly created folder and unzips it there.

A screenshot of a computer Description automatically generated with medium confidence

Figure 7 – TCP Stream

Graphical user interface, text Description automatically generated

Figure 8 – PowerShell Script

The PDC also saw both tactics combined in at least one case, by incorporating the malicious Finger command directly into the MSI Custom Actions table (Figure 9).

Figure 9 – Finger Command Within MSI

AutoHotKey and Mekotio

This second ZIP file contains three files: the legitimate AHK compiler executable (.exe), a malicious AHK script (.ahk) and the Mekotio banking Trojan (.dll). AHK is a scripting language for Windows originally developed to create keyboard shortcuts (i.e. hot keys). In the example below (Figure 10), all files were dropped in C:\ProgramData{random name}.

Graphical user interface, text, application Description automatically generated

Figure 10 – Dropped Files

The execution chain can be summarized in the following way: before exiting, the MSI or PowerShell script will run the AHK compiler, the AHK compiler will execute the AHK script and the AHK script will load Mekotio into the AHK compiler memory. We can verify this by taking a look at the loaded modules in Figure 11.

Table Description automatically generated

Figure 11 – Mekotio Loaded

Mekotio will then operate from within the AHK compiler process, using the signed binary as a front to make detection more difficult for endpoint solutions.

For persistence it drops copies of all three files in a new folder. It will then use a run key to initiate the execution chain every time the system restarts by executing the renamed copy of the AHK compiler.

Figure 12 – Run Key for AHK Compiler Copy “gur.exe”

Mekotio monitors browser activity looking for targeted banks. Figure 13 displays some of the targeted institutions in the form of strings in the AHK compiler process memory. We can see banks not only from Latin American, but from Spain, France and Portugal. Once it identifies a target, Mekotio is known to present the user with a fake version of the webpage.

A picture containing table Description automatically generated

Figure 13 – Memory Strings

Mekotio disables specific registry browser values associated with password and form suggestions and autocompletion (Figure 14). This forces the user to type in sensitive information, even if they have it saved in their browser history, allowing the malware to capture credentials with its keylogging capabilities.

Figure 14 – Registry Values

The Trojan can also monitor Bitcoin addresses copied to the clipboard and replace them with one belonging to the attackers. Figures 15a to 15c show this process. As of this writing, this specific attacker address had a balance of 0.01957271 BTC, approximately USD $800 (Figure 16).

Graphical user interface, application Description automatically generated

Figure 15a – Copying Example BTC Address

Graphical user interface, application, Word Description automatically generated

Figure 15b – Pasting Example BTC Address

Graphical user interface, application, Word Description automatically generated

Figure 15c – BTC Address is replaced

Graphical user interface, application Description automatically generated

Figure 16 – BTC Balance

The above functionalities are neither exhaustive nor exclusive to Mekotio. The main takeaway is that legitimate binaries can be leveraged as a façade for malicious activity. Vigilance is key. If a file or process is not meant to be there, it’s best to check.

Indicators of Compromise

Infection Domain IP
hxxp://priyadarsiniculturalsociety[.]com//images/?hash=%email% 51[.]81[.]75[.]131
hxxp://hothiphopbeats[.]com//images/?hash=%email% 209[.]40[.]193[.]208
hXXp://www3[.]santoandre[.]sp[.]gov[.]br/assistencia/wp-folha/TGR 189[.]1[.]163[.]21
Payload Domain IP
hxxp://critichotshot[.]com/loc/ 162[.]255[.]118[.]194
hxxps://thaipoliticstoday[.]com/saudi-news-tq1vh/ 172[.]67[.]181[.]248
hXXp://web[.]groupe-convergence[.]com/ 213[.]186[.]33[.]69
hXXp://www[.]aralimp[.]com[.]br/wp-content/upgrade/TGR/SII_000492106006B8[.]zip 177[.]12[.]164[.]108
hXXp://umc24[.]club//wp-content/gallery/ 217[.]160[.]0[.]235
hXXps://leopard-hunt[.]com//wp-content/userr/20AVW5RSJKV8948[.]zip

104[.]21[.]63[.]133

172[.]67[.]145[.]198

89[.]44[.]9[.]254
104[.]214[.]107[.]176
C2 IP
es[.]sslhermanos[.]com

45[.]147[.]229[.]128

45[.]147[.]231[.]119

hxxp://40[.]112[.]173[.]53/again/?oriudfjdfij88 40[.]112[.]173[.]53
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.  
Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.