AutoHotKey Leveraged by Metamorfo/Mekotio Banking Trojan

Share Now


By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed banking Trojans abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information. In this post we take a brief look at the case of Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe.

Phishing Email

Figures 1 and 2 are two example emails sent as the campaign’s first step, both targeting Spanish users. Figure 2 is a simple request to download a password-protected file and is devoid of context. While Figure 1 is a more elaborate spoofed notification about pending legal documents, with a link that downloads a ZIP file.

Figure 1 – Email 1

Figure 2 – Email 2

Delivery: Malicious MSI and Finger Commands

The PDC encountered two main mechanisms delivering the payload. In the first instance there is a ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second ZIP file (Figure 3).

Graphical user interface, application Description automatically generated

Figure 3 – Payload Domain

The Custom Actions table of these MSI files confirms the malicious intent. This table enables the incorporation of custom code to the installation package and is often abused by attackers. Figure 4 shows an action titled “dqidwlCTIewiuap” containing obfuscated JavaScript. The JavaScript is responsible for downloading the correct version of the ZIP file from the payload site, unzipping its contents, renaming and placing it into a new randomly named folder.

Table Description automatically generated with low confidence


Figure 4 – Custom Actions Table