Security News > 2021 > November > Mekotio Banking Trojan Resurges with Tweaked Code, Stealthy Campaign

A stealthier batch file with at least two layers of obfuscation;.

ZIP file, the aforementioned stealthy batch file executes.

The batch file has two layers of obfuscation and often contains a file name that starts with "Contacto," according to CPR. "The first layer of the obfuscation is a simple substitution cipher," researchers explained.

The PowerShell script checks the size of the extracted files to distinguish between the type and the purpose of the files.

The first file is an interpreter for AutoHotkey, which is an open-source scripting language for Windows that lets users create shortcuts to files.

The PowerShell script uses the interpreter to run a second file, which is an AHK script; and the AHK script then runs the third file, which is the Mekotio payload. Themida is a legitimate software protector/encryptor that was originally created to keep a cyberattacker from directly inspecting or modifying the code of a compiled application.

News URL

https://threatpost.com/mekotio-banking-trojan-campaign/175981/