Nov 5, 2021
93 Views
0 0

Mekotio Banking Trojan Resurges with Tweaked Code, Stealthy Campaign

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The banker, aka Metamorfo, is roaring back after Spanish police arrested more than a dozen gang members.
The Mekotio Latin American banking trojan is bouncing back after several of the gang that operates it were arrested in Spain. More than 100 attacks in recent weeks have featured a new infection routine, indicating that the group continues to actively retool.
“The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio [aka Metamorfo] distribution in July,” according to Check Point Research (CPR). “It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.”

Mekotio, like other Latin American banking trojans, steals online banking logins and other financial credentials from unsuspecting victims. But they’re constantly evolving to avoid detection. In this case, the freshened-up Mekotio infection vector contains “unprecedented elements” to keep detection rates low, according to the firm’s analysis, issued Wednesday. These are:
“In the last three months, we saw approximately 100 attacks use new, simple obfuscation techniques, with the help of a substitution cipher, to hide the first module of the attack,” according to CPR. “This simple obfuscation technique allows it to go undetected by most of the antivirus products.”
The attacks are multistage in all phases, and they begin with Spanish-language phishing emails containing a .ZIP archive link or .ZIP file attachment. The lure is a claim that the email contains a digital tax receipt pending submission.
If a user is duped into clicking on either form of .ZIP file, the aforementioned stealthy batch file executes. In turn, it issues a PowerShell command to download and run a PowerShell script in memory.
The batch file has two layers of obfuscation and often contains a file name that starts with “Contacto,” according to CPR.
“The first layer of the obfuscation is a simple substitution cipher,” researchers explained. “Substitution ciphers encrypt plaintext by replacing each symbol in the plaintext with the corresponding symbol from the lookup table.”
The second layer of obfuscation is a technique that takes slices of the command code and saves them in different environment variables. When these are concatenated, the PowerShell command emerges that downloads the PowerShell script.
The PowerShell script is responsible for conducting pre-infection checks, i.e., determining if the target is located in a desired geography within Latin America (Brazil, Chile, Mexico, Spain or Peru), and verifying that it’s not running in a virtual machine/sandbox environment.
“The next thing the script does is to create an empty file, used as a footprint, whose name is the current date,” according to the firm. “This lets it know if it already ran in the system. If the file already exists, the script stops the execution.”
After that, it establishes persistence (by adding a new value to the following registry key: “HKCUSoftwareMicrosoftWindowsCurrentVersionRun”); and then it downloads a secondary .ZIP archive to the ProgramData Directory.
That secondary .ZIP archive contains three files, which are extracted, renamed and saved in a new directory on the infected system. The PowerShell script checks the size of the extracted files to distinguish between the type and the purpose of the files.
The first file is an interpreter for AutoHotkey (AHK), which is an open-source scripting language for Windows that lets users create shortcuts to files. The malware added its use of AHK to the mix last March as yet another evasion tactic.
The PowerShell script uses the interpreter to run a second file, which is an AHK script; and the AHK script then runs the third file, which is the Mekotio payload (in the form of a DLL packed with Themida v3).
Themida is a legitimate software protector/encryptor that was originally created to keep a cyberattacker from directly inspecting or modifying the code of a compiled application.
Once unpacked, “the DLL contains the main Mekotio banker functionality for actions such as stealing access credentials for electronic banking portals and a password stealer,” according to CPR analysis. “The stolen data is sent to the command-and-control server.”
While banking trojans targeting Latin America are common, they’re interesting to analyze because they tend to be modular, meaning that attackers can make small tweaks in order to stay off the detection radar, researchers noted.
“CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of antivirus and endpoint detection and response (EDR) solutions by changing packers or obfuscation techniques such as a substitution cipher,” they said. “Our analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions, bypass security filtering and trick users.”
To protect against this type of attack, CPR offered the following basic anti-social-engineering tips:
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
NSO Group plans to fight the trade ban, saying it’s “dismayed” and clinging to the mantra that its tools actually help to prevent terrorism and crime.
The bug (CVE-2021-43267) exists in a TIPC message type that allows Linux nodes to send cryptographic keys to each other.
The Magecart threat actor uses a browser script to evade detection by researchers and sandboxes so it targets only victims’ machines to steal credentials and personal info.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Find out how to win back control of the flimsy passwords standing between your network and the next cyberattack dur… https://t.co/yGdOyUPhhq
20 mins ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.