The Banker Trojan, aka Metamorfo Is Back With a Tweaked Code and a Stealthy Campaign.


Mekotio is a banking trojan that mostly targets victims in Brazil, Chile, Mexico, Spain, Peru, and Portugal. The use of a SQL database as a C&C server is the most striking characteristic of the latest forms of this malware family.

Mekotio is a banking malware that has been around since at least 2015. As a result, it assaults by showing pop-up windows to its victims in an attempt to lure them to provide critical information. These windows are built to target Latin American banks and other financial organizations.

What Happened?

After many members of the group behind the Mekotio Latin American banking virus were apprehended in Spain, the trojan is making a comeback. In recent weeks, more than 100 attacks have contained a new infection routine, showing that the organization is still aggressively retooling.

The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio [aka Metamorfo] distribution in July. It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.

The updated Mekotio infection vector has “unprecedented aspects” to keep detection rates low, like a stealthier batch file with at least two layers of obfuscation, a new fileless PowerShell script that runs directly in memory, and makes use of Themida v3 for packing the final DLL payload.

In the last three months, we saw approximately 100 attacks use new, simple obfuscation techniques, with the help of a substitution cipher, to hide the first module of the attack,” according to CPR. “This simple obfuscation technique allows it to go undetected by most of the antivirus products.

Mekotio M.O.

All phases of the assaults are multistage, starting with Spanish-language phishing emails with a “.ZIP” archive link or “.ZIP” file attachment. The bait is a claim that the email contains a digital tax receipt that has to be submitted right away.

The aforementioned stealthy batch file executes if a user is deceived into clicking on either type of.ZIP file. As a result, a PowerShell command is sent to download and run a PowerShell script in memory.

Most of the time the batch file contains a filename that starts with “Contacto” and has two layers of obfuscation; again, usually, the simpler substitution cipher constitutes the first layer of obfuscation.

The second layer of obfuscation employs a mechanism that preserves slices of command code in various environment variables. When you combine them, you get a PowerShell command that downloads the PowerShell script.

The PowerShell script is in charge of performing pre-infection tests, such as detecting whether the target is in a desirable Latin American geography (Brazil, Chile, Mexico, Spain, or Peru) and ensuring that it is not operating in a virtual machine or sandbox environment.

Following that, it creates persistence and then downloads a secondary, and then downloads a secondary .ZIP archive to the ProgramData Directory.

The next thing the script does is to create an empty file, used as a footprint, whose name is the current date,” according to the firm. “This lets it know if it already ran in the system. If the file already exists, the script stops the execution.

On the infected system, the ZIP bundle comprises three files, which are extracted, renamed, and stored in a new directory. The PowerShell script compares the size of the extracted files to determine the kind and purpose of the files.

The first file is an AutoHotkey (AHK) interpreter, which is a Windows open-source scripting language that allows users to create file shortcuts.

The PowerShell script uses the interpreter to run a second file, which is an AHK script; the AHK script then executes the third file, which is the Mekotio payload (in the form of a DLL packed with Themida v3).

Themida is a legal software protector/encryptor designed to prevent a cyberattacker from directly viewing or altering the code of a built program.

According to CPR research, once unpacked

the DLL includes the primary Mekotio banker functionality for tasks like as collecting access credentials for electronic banking interfaces and a password stealer. The stolen data is sent to the command and control server.

CPR sees a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of antivirus and endpoint detection and response (EDR) solutions by changing packers or obfuscation techniques such as a substitution cipher,” they said. “Our analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions, bypass security filtering and trick users.