Threat Research

Examining the Mekotio Trojan – CYFIRMA

Cyfirma

CYFIRMA analyzes the Mekotio Trojan, a sophisticated PowerShell-based dropper that decodes data, gathers system information, communicates with a C2 server, and deploys payloads while persisting via registry-based autostart. The campaign centers on an Arizona-based C2 and observable IOCs like MD5/SHA-256 hashes, with recommendations emphasizing strong endpoint security and phishing awareness. #Mekotio #CYFIRMA #PowerShell #GoDaddy #Arizona #IP50_62_182_1

Keypoints

  • The Mekotio Trojan uses a PowerShell dropper obfuscated with custom XOR decryption.
  • It collects system information and communicates with a C2 server for further instructions.
  • The malware ensures persistence by modifying registry settings to run on startup.
  • Functions within the dropper include generating random strings, decoding hexadecimal strings, and downloading payloads.
  • The C2 server used by the threat actor is located in Arizona, U.S.
  • Indicators of compromise (IOCs) include specific MD5 and SHA256 hashes of the dropper.
  • Recommendations include deploying robust endpoint security and educating users on phishing tactics.

MITRE Techniques

  • [T1059.001] Command and Scripting Interpreter – PowerShell – Used to execute commands and scripts. “Utilizes PowerShell for executing commands and scripts.”
  • [T1064] Scripting – “Employs scripts for automation of malicious tasks.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – “Modifies registry to ensure execution on startup.”
  • [T1082] System Information Discovery – “Gathers information about the system configuration.”
  • [T1083] File and Directory Discovery – “Identifies files and directories on the infected system.”
  • [T1005] Data from Local System – “Collects data from the local system for exfiltration.”
  • [T1041] Exfiltration Over C2 Channel – “Exfiltrates data via the command-and-control channel.”
  • [T1071] Application Layer Protocol – “Communicates with the C2 server using application layer protocols.”

Indicators of Compromise

  • [MD5 Hash] Mekotio Dropper – cc1582ca08498560a84fdf4e795fb63f
  • [SHA256 Hash] Mekotio Dropper – 65025475c24f4647b6140cbeced6899f8958f1c72ec17ee24816aa35d1a5639e
  • [IP Address] C2 – 50.62.182.1

Read more: https://www.cyfirma.com/research/analyzing-the-mekotio-trojan/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint