Quote:The Metamorfo banking trojan is abusing AutoHotKey (AHK) and the AHK compiler to evade detection and steal users’ information, researchers have warned.
AHK is a scripting language for Windows originally developed to create keyboard shortcuts (i.e., hot keys).
According to the Cofense Phishing Defense Center (PDC), the malware (a.k.a. Mekotio) is targeting Spanish-language users using two separate emails as an initial infection vector. One is a purported request to download a password-protected file; and the other is an elaborate spoofed notification about pending legal documents, with a link that downloads a .ZIP file.
In both cases, the malicious code is contained in a .ZIP file that’s ultimately downloaded to victim computers. It contains three files: the legitimate AHK compiler executable (.EXE), a malicious AHK script (.AHK) and the banking trojan itself (.DLL). These are unpacked into a randomly named file housed in C:\\ProgramData.
A script will then run the AHK compiler, the AHK compiler will execute the AHK script, and the AHK script will finally load Metamorfo into the AHK compiler memory.
“[Metamorfo] will then operate from within the AHK compiler process, using the signed binary as a front to make detection more difficult for endpoint solutions,” researchers explained, in a posting on Thursday.
For persistence, copies of all three files are also placed in a new folder.
“It will then use a run key to initiate the execution chain every time the system restarts by executing the renamed copy of the AHK compiler,” according to the report.
Read more: Metamorfo Banking Trojan Abuses AutoHotKey | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
