Mekotio Trojan: A PowerShell-Based Threat Targeting Victims with Stealth and Persistence

by do son · September 2, 2024

The CYFIRMA Research and Advisory Team has identified a new and sophisticated cyber threat, dubbed the Mekotio Trojan. This malware leverages PowerShell, a powerful scripting language built into Windows, to carry out its malicious activities.

The Mekotio Trojan is a prime example of how cybercriminals are increasingly using PowerShell, a powerful scripting language in Windows, to deliver and execute malicious payloads. During CYFIRMA’s Threat Discovery Process, researchers identified Mekotio as a particularly stealthy malware that employs sophisticated obfuscation techniques to hide its true purpose.

The Trojan’s dropper script is designed to collect detailed information about the infected system and communicate with a remote command-and-control (C2) server to receive further instructions. This includes downloading additional malicious files, executing them, and ensuring that they persistently run every time the system starts up.

CYFIRMA’s analysis reveals that the Mekotio Trojan’s PowerShell script is composed of several obfuscated functions, each playing a critical role in its operation:

Random_Str_Gen: This function generates random strings of letters, which are likely used to name files or directories in a way that avoids detection.
XOR_Decode: A custom XOR decryption function is used to decode important data within the script, such as URLs or commands, ensuring that these elements remain hidden until they are needed.
Get_IPinfo: This function retrieves the victim’s public IP address and geographical location by querying an online service, allowing the threat actor to gather detailed information about the infected system’s environment.
Find_AntiVirus: Mekotio checks for the presence of antivirus software on the infected machine by querying the Windows Management Instrumentation (WMI). This step helps the malware determine how to proceed with its infection strategy, depending on the defenses it encounters.
C2_Download_Payload: The script manages a TCP connection to the C2 server, transmitting collected data and receiving additional payloads in return. These payloads are downloaded, decrypted, and executed, expanding the Trojan’s capabilities on the compromised system.

The Mekotio Trojan’s obfuscation techniques are designed to conceal its malicious activities from both users and security software. By encoding key strings and employing complex decryption methods, the Trojan effectively hides its operations until it is too late for the victim to respond.

Persistence is another critical aspect of Mekotio’s design. Once the Trojan downloads and installs its payloads, it ensures they are automatically executed on system startup by modifying the Windows registry. This guarantees that the malware remains active on the infected machine, even after reboots.

CYFIRMA’s researchers noted that the Mekotio Trojan includes comments in Portuguese within its code, suggesting that the threat actor behind this malware may originate from a Portuguese-speaking country, such as Brazil. The C2 server associated with this campaign is hosted by GoDaddy LLC in Arizona, U.S., indicating a global infrastructure supporting the malware’s operations.