Friend
Professional
- Messages
- 2,653
- Reaction score
- 852
- Points
- 113
Why is your antivirus powerless against a new Trojan?
CYFIRMA has discovered a new malicious program called Mekotio Trojan, which is actively distributed among users around the world. This sophisticated Trojan uses PowerShell technology to infiltrate computers and steal sensitive information.
According to the study, the Mekotio Trojan uses a specially encrypted PowerShell script to hide its malicious activity. First, it collects data about the infected system (country, computer name, username, Windows version, and the presence of antivirus software). It then establishes a persistent connection to a remote C2 server and retrieves additional malicious files from there.
The downloaded files are unpacked and installed in the APPDATA user folder, after which they are automatically launched at each system startup. Among these files are both executable (.exe) and scripting (.ahk) components used for further attacks.
According to experts, the IP address of the C&C server that Mekotio accesses is registered in the United States on the hosting provider GoDaddy. In addition, comments in Portuguese were found in the code of the Trojan, which may indicate the involvement of Brazilian or Portuguese cybercriminals.
"The Mekotio Trojan is another example of how attackers use advanced technologies to steal data," says the head of research at CYFIRMA. - Applying powerful obfuscation techniques and ensuring that the malware is constantly running make it very difficult to detect and remove. All users need to strengthen digital hygiene measures and install reliable solutions to protect against such threats."
CYFIRMA experts note: Mekotio uses multiple layers of encryption and masking to make it difficult to detect. In addition to custom XOR decryption, attackers also use various obfuscation techniques, such as shuffling function and variable names. This makes analyzing malicious code extremely time-consuming and difficult.
According to the study, Mekotio also tries to determine what anti-virus software is installed on the infected system. This information is likely used to avoid detection.
Despite the complexity of Mekotio, CYFIRMA specialists have already developed a YARA rule that allows the Trojan to be identified by its unique characteristics. This will help antivirus solutions identify and block malicious activity.
CYFIRMA recommends using up-to-date antiviruses, regularly updating systems, being careful when opening suspicious files, and backing up important data. Only a comprehensive approach to cybersecurity can protect against the latest threats like Mekotio.
Source
CYFIRMA has discovered a new malicious program called Mekotio Trojan, which is actively distributed among users around the world. This sophisticated Trojan uses PowerShell technology to infiltrate computers and steal sensitive information.
According to the study, the Mekotio Trojan uses a specially encrypted PowerShell script to hide its malicious activity. First, it collects data about the infected system (country, computer name, username, Windows version, and the presence of antivirus software). It then establishes a persistent connection to a remote C2 server and retrieves additional malicious files from there.
The downloaded files are unpacked and installed in the APPDATA user folder, after which they are automatically launched at each system startup. Among these files are both executable (.exe) and scripting (.ahk) components used for further attacks.
According to experts, the IP address of the C&C server that Mekotio accesses is registered in the United States on the hosting provider GoDaddy. In addition, comments in Portuguese were found in the code of the Trojan, which may indicate the involvement of Brazilian or Portuguese cybercriminals.
"The Mekotio Trojan is another example of how attackers use advanced technologies to steal data," says the head of research at CYFIRMA. - Applying powerful obfuscation techniques and ensuring that the malware is constantly running make it very difficult to detect and remove. All users need to strengthen digital hygiene measures and install reliable solutions to protect against such threats."
CYFIRMA experts note: Mekotio uses multiple layers of encryption and masking to make it difficult to detect. In addition to custom XOR decryption, attackers also use various obfuscation techniques, such as shuffling function and variable names. This makes analyzing malicious code extremely time-consuming and difficult.
According to the study, Mekotio also tries to determine what anti-virus software is installed on the infected system. This information is likely used to avoid detection.
Despite the complexity of Mekotio, CYFIRMA specialists have already developed a YARA rule that allows the Trojan to be identified by its unique characteristics. This will help antivirus solutions identify and block malicious activity.
CYFIRMA recommends using up-to-date antiviruses, regularly updating systems, being careful when opening suspicious files, and backing up important data. Only a comprehensive approach to cybersecurity can protect against the latest threats like Mekotio.
Source
