The banker, aka Metamorfo, is roaring back after Spanish police arrested more than a dozen gang members.
The Mekotio Latin American banking trojan is bouncing back after several of the gang that operates it were arrested in Spain. More than 100 attacks in recent weeks have featured a new infection routine, indicating that the group continues to actively retool.
“The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio [aka Metamorfo] distribution in July,” according to Check Point Research (CPR). “It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.”
Mekotio, like other Latin American banking trojans, steals online banking logins and other financial credentials from unsuspecting victims. But they’re constantly evolving to avoid detection. In this case, the freshened-up Mekotio infection vector contains “unprecedented elements” to keep detection rates low, according to the firm’s analysis, issued Wednesday. These are:
- A stealthier batch file with at least two layers of obfuscation;
- New fileless PowerShell script that runs directly in memory; and
- Use of Themida v3 for packing the final DLL payload.
“In the last three months, we saw approximately 100 attacks use new, simple obfuscation techniques, with the help of a substitution cipher, to hide the first module of the attack,” according to CPR. “This simple obfuscation technique allows it to go undetected by most of the antivirus products.”
Layers and Layers in the Malware Deployment
The attacks are multistage in all phases, and they begin with Spanish-language phishing emails containing a .ZIP archive link or .ZIP file attachment. The lure is a claim that the email contains a digital tax receipt pending submission.
If a user is duped into clicking on either form of .ZIP file, the aforementioned stealthy batch file executes. In turn, it issues a PowerShell command to download and run a PowerShell script in memory.
Batch File Stealth
The batch file has two layers of obfuscation and often contains a file name that starts with “Contacto,” according to CPR.
“The first layer of the obfuscation is a simple substitution cipher,” researchers explained. “Substitution ciphers encrypt plaintext by replacing each symbol in the plaintext with the corresponding symbol from the lookup table.”
The second layer of obfuscation is a technique that takes slices of the command code and saves them in different environment variables. When these are concatenated, the PowerShell command emerges that downloads the PowerShell script.
The PowerShell Script
The PowerShell script is responsible for conducting pre-infection checks, i.e., determining if the target is located in a desired geography within Latin America (Brazil, Chile, Mexico, Spain or Peru), and verifying that it’s not running in a virtual machine/sandbox environment.
“The next thing the script does is to create an empty file, used as a footprint, whose name is the current date,” according to the firm. “This lets it know if it already ran in the system. If the file already exists, the script stops the execution.”
After that, it establishes persistence (by adding a new value to the following registry key: “HKCUSoftwareMicrosoftWindowsCurrentVersionRun”); and then it downloads a secondary .ZIP archive to the ProgramData Directory.
That secondary .ZIP archive contains three files, which are extracted, renamed and saved in a new directory on the infected system. The PowerShell script checks the size of the extracted files to distinguish between the type and the purpose of the files.
The first file is an interpreter for AutoHotkey (AHK), which is an open-source scripting language for Windows that lets users create shortcuts to files. The malware added its use of AHK to the mix last March as yet another evasion tactic.
The PowerShell script uses the interpreter to run a second file, which is an AHK script; and the AHK script then runs the third file, which is the Mekotio payload (in the form of a DLL packed with Themida v3).
Themida is a legitimate software protector/encryptor that was originally created to keep a cyberattacker from directly inspecting or modifying the code of a compiled application.
Once unpacked, “the DLL contains the main Mekotio banker functionality for actions such as stealing access credentials for electronic banking portals and a password stealer,” according to CPR analysis. “The stolen data is sent to the command-and-control server.”
While banking trojans targeting Latin America are common, they’re interesting to analyze because they tend to be modular, meaning that attackers can make small tweaks in order to stay off the detection radar, researchers noted.
“CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of antivirus and endpoint detection and response (EDR) solutions by changing packers or obfuscation techniques such as a substitution cipher,” they said. “Our analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions, bypass security filtering and trick users.”
How to Protect Against Banking Trojans
To protect against this type of attack, CPR offered the following basic anti-social-engineering tips:
- Be suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document;
- Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders;
- Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do;
- Don’t click on promotional links in emails, and instead, Google the vendor and click the link from the Google results page;
- Beware of “special” offers that don’t appear to be reliable or trustworthy purchase opportunities; and
- Don’t reuse passwords between different applications and accounts.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
