Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection

login cyber security

A legitimate binary for creating shortcut keys in Windows is being used to help the malware sneak past defenses, in a rash of new campaigns.

The Metamorfo banking trojan is abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information, researchers have warned.

AHK is a scripting language for Windows originally developed to create keyboard shortcuts (i.e., hot keys).

According to the Cofense Phishing Defense Center (PDC), the malware (a.k.a. Mekotio) is targeting Spanish-language users using two separate emails as an initial infection vector. One is a purported request to download a password-protected file; and the other is an elaborate spoofed notification about pending legal documents, with a link that downloads a .ZIP file.

Metamorfo Abusing AHK
In both cases, the malicious code is contained in a .ZIP file that’s ultimately downloaded to victim computers. It contains three files: the legitimate AHK compiler executable (.EXE), a malicious AHK script (.AHK) and the banking trojan itself (.DLL). These are unpacked into a randomly named file housed in C:\\ProgramData.

A script will then run the AHK compiler, the AHK compiler will execute the AHK script, and the AHK script will finally load Metamorfo into the AHK compiler memory.

“[Metamorfo] will then operate from within the AHK compiler process, using the signed binary as a front to make detection more difficult for endpoint solutions,” researchers explained, in a posting on Thursday.

For persistence, copies of all three files are also placed in a new folder.

“It will then use a run key to initiate the execution chain every time the system restarts by executing the renamed copy of the AHK compiler,” according to the report.

Metamorfo Resurgence in LatAm, Europe
Metamorfo started life as a Latin American banking trojan, first discovered in April 2018, in various campaigns that share key commonalities (like the use of “spray-and-pray” spam tactics). Its campaigns however have small, “morphing” differences — which is the meaning behind its name.

A variant that emerged in February 2020, for instance, kills the auto-suggest data entry fields in browsers, forcing victims to write out their passwords – which it then tracks via a keylogger.

That trick is also present in the latest attacks, according to the PDC, with cybercrooks targeting customers of banks in Latin America and Europe (including France, Portugal and Spain).

Metamorfo monitors browser activity looking for targeted banks, which are listed in the form of strings in the AHK compiler process memory, researchers explained. When a victim opens one of the targeted banking pages, Metamorfo overlays it with a fake version of the webpage designed to harvest credentials.

“[Metamorfo] disables specific registry browser values associated with password and form suggestions and autocompletion,” researchers said. “This forces the user to type in sensitive information, even if they have it saved in their browser history, allowing the malware to capture credentials with its keylogging capabilities.”

This version of the trojan can also monitor Bitcoin addresses copied to a clipboard and replace them with one belonging to the attackers.

“As of this writing, this specific attacker address had a balance of 0.01957271 BTC, approximately $800,” researchers said.

Metamorfo’s Banking Trojan Infection Routine
The PDC encountered two main mechanisms for delivering the payload in these campaigns.

In the first instance, there is a .ZIP file containing an MSI file that includes a malicious domain harboring 32 and 64-bit versions of a second .ZIP file; and in the second scenario the original .ZIP file drops a shortcut file containing a malicious Finger command. Finger.exe is a native Windows command that allows the retrieval of information about a remote user.

“The Custom Actions table of these MSI files enables the incorporation of custom code to the installation package and is often abused by attackers,” said the researchers. “[The table] shows an action titled ‘dqidwlCTIewiuap’ containing obfuscated JavaScript. The JavaScript is responsible for downloading the correct version of the .ZIP file from the payload site, unzipping its contents, renaming and placing it into a new randomly named folder.”

In the second instance, a command is used to contact a server, which displays the contents of a hosted file in a command shell. The file in question is a PowerShell script that will run in this shell.

Read more at: