This isn't the first time that a trojan has used spam campaigns to distribute itself; in fact, it's very common as we've already seen in numerous articles on the blog.
In these types of emails, the subjects and topics covered are usually varied. Reasons are used such as the payment of a fine, an unpaid invoice, or any other issues, especially those related to payments and movements of money, which are often coupled with the impersonation of official bodies that make these emails appear credible and that may ensure the victim clicks on a specific place so that the attacker achieves their objective: getting the user to download and open the attached file, thus initiating the infection process.
For the trojan that we'll discuss in this article, the method is similar. In this case, it is a recently detected spam campaign that works to spread Mekotio, also known as Pazera, a banking trojan for Windows systems that have been attacking Latin American entities since the end of 2016, and that in 2020 made its way to Spain after its development team apparently began to take an interest in Spanish banks.
The Hook: Secure Electronic Communication
As occurred in January, the decoy used in the campaign is the arrival of a supposed secure electronic communication (referred to as a "burofax" in Spain). Although, it seems that the attackers haven't gone to too much trouble to make it appear really authentic, since they have reused a domain that refers to other subjects used in other propagation campaigns, such as unpaid fines.
As we can see in the image, an attempt is made to simulate the notification of secure electronic communication, in this case from the legal department of a law firm, for which they even use a physical address to give the matter more credibility and urgency. Likewise, it highlights a web address that pretends to be the official address of the health services of a Spanish autonomous community, in an attempt to give the email even greater legitimacy.
How it Works
What we've just discussed in the previous point has a single purpose: to get the user victim of this spam campaign to click on the link to download the attached file and open it, which hides the banking trojan dropper. And at this moment, the attacker manages to get the email to trick the user into opening the downloaded file so that the victim has in their possession the file containing the banking trojan dropper.
As we've seen on other occasions, this is a classic infection method seen in other Pazera propagation campaigns, especially those corresponding to its initial versions, as recently some changes have been observed.
Zip file containing the installable MSI
Let's now get to the file. Once downloaded, it is detected that it contains an MSI (Microsoft Installer) file, an installer for Windows systems used on many occasions by other trojans to distribute their malicious code and infect their victims.
When executing this file, which acts by fulfilling the usual functionalities of a dropper, a connection will be made that will download other files necessary for the next phase of the attack, after which it will continue with the download of a final compressed file that will, in turn, contain several files related to the banking malware. In these last files is where the installer programmed in a scripting language is found, a file with the possible commands and necessary configuration for the effective execution of the trojan, and finally, the DLL files that contain its functionality.
In the last phase of the infection, after downloading the zip with the malicious DLL implemented by the banking trojan, this DLL is executed, waiting for the victim to visit their bank's website to activate and start stealing their credentials mainly through keylogging.
Mekotio, also known as Pazera, is a banking trojan for Windows systems that have been targeting Latin American banks since 2016, although the list of affected entities has been increasing and its versions already include Spanish entities.
As usually occurs in other propagation campaigns via spam, the email tries to persuade the user to download and open the attached file that will act as a dropper. That's why the subjects in the email usually involve monetary issues such as downloading an invoice, paying a fine, or any other issue that may be of interest to the victim and that needs to be dealt with rather urgently, which is exactly what is done in the campaign where the notification of secure electronic communication (online "burofax") is simulated.
Likewise, it is common to find references to supposed official bodies, in this case to the Ministry of Health of a Spanish autonomous community, which perhaps on this occasion was chosen on purpose given the context of a global pandemic we are living in.