A legitimate binary for creating shortcut keys in Windows is being used to help the malware sneak past defenses, in a rash of new campaigns.
The Cofense Phishing Defense Center (PDC) has observed banking Trojans abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information.
Researchers say Mekotio also known as Metamorfo, a banking Trojan with Latin American origins that is currently expanding its reach to victims across Europe.
Phishing Email
The two examples of emails sent as the campaign’s first step, both targeting Spanish users. First Email (Figure 1) is a more elaborate spoofed notification about pending legal documents, with a link that downloads a ZIP file. While second is a simple request to download a password-protected file and is devoid of context.
Figure 1: E-mail 1
Figure 2: Email 2
The researchers observed two main mechanisms delivering the payload. In the first instance, there is a ZIP file containing an MSI file that includes a…