Rooty Dolphin uses Mekotio to target bank clients in South America and Europe

Key Points 

• Rooty Dolphin is a threat actor who uses Mekotio to target banks 
• Mekotio is a banking trojan with Brazilian origins 
• Rooty Dolphin started targeting South America but moved to Europe some months ago
  

Introduction 

Blueliv Labs has been tracking the activities of different threat actors performing campaigns in Latam and Europe. Initially, most of them were just focusing on South American countries, but eventually they moved to Europe, targeting countries like Spain and Portugal. The malware families they use have Brazilian flavors, like Grandoreiro or Mekotio, for example. 

In this article we will focus on the actor Rooty Dolphin, named by Blueliv and active at least since 2017. We will detail their tactics, techniques, and procedures (TTPs) and IOCs, as well as different campaigns in Spain, Italy and Chile where they have been distributing Mekotio.  

This information was presented at VB2020: “Dancing samba with Dolphins: tracking a Brazilian threat actor moving to Europe”. You can find the related IOCs in our Threat Exchange Network.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Mekotio (aka Metamorfo, N40) 

Mekotio is a banking trojan historically related to cybercriminal activity in Latin America and it is believed that it has a Brazilian origin. This family leapt into the media as a result of various campaigns against Latin American banks, especially in Chile. It is also known as Metamorfo and N40. 

Mekotio´s operation focuses on the enumeration of open windows in the running operating system (Windows). The malware obtains the title of each window and looks for the presence of specific words and sentences appearing in the title of web pages related to the targeted banks. 

Once the malware detects that the user is operating with a targeted online banking service, it proceeds to open a connection to a server controlled by the threat actor, using a not-well-known port and custom protocol. 

The protocol used is really similar to a Delphi Remote Access project publicly available on GitHub, with some modifications. The functionalities available thanks to this RAT are: 

• Remote Access 
• Copy files from the server to the bot 
• Copy files from the bot to the server 
• Mouse control 
• Keylogging 

At that moment, the malware starts working as a RAT, it allows the malicious operator to use the banking services under the just created user session and showing fake bank windows to the victim. This way of operation is usually observed in attacks against online banking services in Latin America.

Embedded images shown by Mekotio to the victims

Certain versions incorporate additional features such as monitoring the Windows clipboard to exchange Bitcoin addresses. 

It does not use webinjects, like most of the Russian banking trojans, but most of its configuration is hardcoded. This fact explains the presence of multiple configuration versions originated by the incorporation of new targets and campaigns.  

Some versions make use of public services like Google Docs to store a tiny configuration to change the malicious RAT server.

Metadata extracted by Blueliv 

Using our analysis platform, we are able to extract relevant information from the Mekotio samples to establish relationships between the different campaigns. 

These samples are usually packaged with commercial packers such as Themida and VMProtect besides having the strings encrypted. 

To be able to extract the information, reverse engineering process must be carried out to understand how the sample works and automate the extraction process. 

In our case, we carry out this process to obtain information about the control panels to which the sample will be connected once the user is navigating through the target webpages, to extract the commands used by this malware family (varies between versions), campaign identifiers, the targets and relevant strings, among other things. 

Rooty Dolphin 

Rooty Dolphin is a threat actor who targets bank clients in South America and Europe, making use of Mekotio. At Blueliv, we are code naming “Dolphins” all these actors with a potential South American origin who make use of malware written in Delphi. 

It seems at the beginning the actor was targeting Brazilian banks, then moved to target Chilean financial institutions and more recently they added Spanish and Italian targets. As the campaigns against Chile, Spain and Italy are deploying the trojan in a slightly different way, Blueliv analysts believe that several individuals work together in a group or different actors are using the same malware with the same encryption key. 

We will now detail the mode of distribution used by Rooty Dolphin to infect its victims and the relationship we have found between the different campaigns to conclude that these campaigns are being carried out by the same actor.

Tactics, Techniques and Procedures (TTPs) 

Distribution and infection process 

Infection process

The distribution and infection method can be described by the following points: 

• Malspam delivery using “spoofable” domains of well-known entities. 
• Use of an MSI installer which downloads a zip file, creates the specific folders to store the payload and finally creates persistence for the downloaded payload (AutoIt + AutoItScript + Mekotio) using a .lnk in the Startup folder to execute it when the computer boots. 
• When Mekotio starts running it sends a POST message to the control panel which it uses as an infection counter. 
• At this point, the following operations will be performed: 
  • Monitoring of BTC addresses on the clipboard, with the aim of modifying it to the one contained in its configuration. 
  • Browser monitoring, if the user opens a browser, Mekotio will check the window title, if it matches the one Mekotio has in its configuration it will establish a connection through port 8350, at this point the tasks performed are carried out by an operator. 

Below you will find details of some of the most relevant sections:

Email spoofing 

The attacker takes advantage of the fact that the entities they impersonate do not have the Sender Policy Framework (SPF) or Domain-based Message Authentication, Reporting and Conformance (DMARC) properly configured, and so, an attacker can impersonate emails from one such entity using a different domain. 

For this reason, this technique has been widely used during the actor campaigns, impersonating well-known organizations in the targeted country. In the case of Spain the actor impersonated organizations such as Agencia Tributaria of Spain (Spanish tax entity), Correos (national postal service) or DGT (national road transport entity). 

For example:

These emails may contain: 

• A direct link to the download of a malicious Windows installer (MSI). 
• A PDF attached including a direct link to download a malicious Windows installer (MSI). 

MSI Installer 

This MSI installer downloads a zip file (with different extensions) that contains 3 files:  

• AutoIt executable 
• AutoIt script 
• Mekotio DLL 

Then, the MSI installer creates the specific folder to store the downloaded files, and finally creates persistence for the payload (AutoIt + AutoItScript + Mekotio) in the Startup folder to execute it when the computer boots. 

To perform this task, this installer has an embedded obfuscated script that will be executed when the installer is run: 

obfuscated MSI script

This script downloads the components of the next stage and creates persistence for these components on the computer. 

deobfuscated MSI script

The script will create a folder with a random name in, as can be seen from this desofuscated code snippet: 

C:\\Programdata\\[random_dirname] 

Then decompress the content of the downloaded .zip file containing three components: 

• AutoIt executable 
• Script AutoIt
• Mekotio DLL 

It will create persistence in the Startup directory through a link (.lnk) with the following content: 

C:\Programdata\[random_dir]\[AutoIT].exe C:\\Programdata\\[random_dir]\[AutoItScript] C:\\Programdata\\[random_dir]\[Mekotio_DLL] 

AutoIt 

The .lnk file created in the previous step, points to the legitimate AutoIt binary which is passed the AutoIt script binary as parameter and the path to the malicious DLL:

[AutoIT].exe [AutoItScript] [Mekotio_DLL] 

So that when it is executed with those parameters, the AutoIt script will run and load the malicious Mekotio DLL into the memory of the legitimate AutoIt binary. 

This way the malicious DLL would be loaded into a legitimate AutoIt binary that is signed, which complicates detection tasks by the antivirus.

Browser Monitoring 

As described previously, when Mekotio detects that the user is browsing a targeted web page, it connects to a new domain and establishes communication with its own protocol. 

At the beginning of the communication, it reports information of the infected system that will establish the connection and the web page it is visiting, so that the operator on the other side can identify which victims are of most interest to him. 

<|QFUNHSNXU|><|PT|><|tksN|>ES42--04-05-N-96<|>64 - Windows 7 Professional N6.17601<|>WIN-XXXXXXX - -S4NT4<|>WIN-UB7O6S0FOB9<<|6//&ufj8iqtXbR!S4NT4<|YuiqkwSgot|>394430<<|<|VOTM|><|LSTU|><|VOTM|><|LSTU|><|VOTM|><|LSTU|>

The information sent begins with the sample identifier, then system information of the infected computer, the computer identifier, and an identifier of the entity, in this case S4NT4 through which the user is browsing. 

Usually this communication is established through port 8350, but we have found samples where the port used is different. 

The use of a different domain from the one used to count infections is due to the fact that it makes detection tasks more difficult, as it will only connect to this domain if the user is browsing the targeted web page.

TTPs evolution 

During the monitoring of the Spanish campaign we found some MSI samples related to this actor where the downloaded zips did not contain both AutoIT tool and AutoIT script. 

For example, the zips downloaded for the MSI samples linked with the emails related to Energía XXI, DHL and Endesa spoofed emails, contains the following binaries: 

• Disc Soft Bus Service Pro (DAEMON Tools Pro) executable 
• sptdintf.dll (SPTD Interface Library) 
• Mekotio DLL 

In this case Disc Soft Bus Service Pro binary is used to load the malicious DLL, instead using AutoIT to perform DLL side-loading. 

Shortly thereafter we observed another change in the Spanish campaign, which is still ongoing. Instead of using AutoIT or Disc Soft Bus Service Pro, AutoHotkey is used to load the malicious DLL into the AutoHotkey binary, using DLL side-loading. 

Infection chain

In addition, we note that the new MSIs deploy either 32, or 64 bit samples depending on the system architecture.

MSI file download options

Until that change, only 32-bit samples were deployed. 

Low rate detection in VT 

Although the profile of the attacker is not advanced, by splitting the attack into several stages it causes a considerable reduction in the Antivirus detection rate. As it can be seen in VirusTotal, the detection rate of the different components during the execution of the campaign is low and it is not until a few days later that they start to be marked as malicious. This is when the attacker modifies the components and carries out a new attack using the same techniques, making the attack less noticeable. 

Campaigns 

Chilean campaign 

This campaign is carried out from November 2019 to March 2020. The spoofed emails related to this campaign are regarding account payment problems “Creemos que ha ocurrido algún imprevisto con el pago de su cuenta”. 

AutoIT is used to perform DLL side-loading, and only 32 bits samples were used. 

The campaign identifier, which are embedded in the Mekotio samples, have the following format: 

OP[0-9]{2,3}--[day][month] 

The following BTC addresses were found into the Mekotio samples deployed in this campaign: 

• 15fESxxWhR4aNJVMwoW9jF8X3S57gfjxWg 
• 163McXwBrc9S7JzbgegzVuw7QTJ9H1dQj7 
• 16odfekbni6DKPaxZbWZt8qqA9wTPPR5Fg (shared with some samples found in the Spanish campaign) 

These Mekotio samples targets users from Chilean, Brazilian, Peruvian and Spanish financial institutions.

Spanish campaigns 

This campaign is carried out from March 2020 and is currently running. 

In the campaign carried out in Spain, the emails of the following entities were impersonated (among others): 

• Agencia Tributaria 
• Correos 
• DGT 
• Vodafone 
• Movistar 
• Leroy Merlin 
• Endesa
• Energía XXI 
• DHL 

Below are some of the emails that led to the download of the malicious installer:

Agencia Tributaria 

Phishing email related to COVID-19 

In this email the user is informed that due to the COVID-19, urgent tax measures have had to be taken to support the economy and employment. 

In addition, the user is advised to complete the process within seven days, and to carry out the process, the user must download the attached PDF. 

PDF document with malicious link

This pdf leads to the download of the malicious installer. 

Leroy Merlin and Movistar 

In the case of Leroy Merlin and Movistar: 

Subject of Leroy Merlin’s email: 

Le recordamos que se vincio el prazo de pagos de su factura 

And in the content of the Movistar email: 

Cordial Saludo, 

Le recordamos que se vinció el prazo de pagos de su factura con 
nosotros, la factura  LUAUSHD29917282BBDKSSS.  
 
Lamentamos informarle que si el pago no si realiza hasta 30 de abril 
del 2020 suspenderemos los servicios. 
 
Descargar la factura.

It’s interesting to see how both emails are improperly written in Spanish, using “vincio” and “prazo”, instead of “venció” and “plazo” . 

This email, like the ones above, has the goal of inducing the user to download and execute the malicious installer.

Campaign ID analysis

The Spanish campaign identifiers, which are embedded in the Mekotio samples, have the following format: 

ES[0-9M]{2,3}--[day][month]

These identifiers are related to the name of the zip file containing the three components, along with the Mekotio DLL, downloaded by the MSI in the infection process:

In addition to this, in the campaign identifier one can notice a date composed by the day and month in which the campaigns were launched. 

The information shown in the table is a small subset, with the aim of showing the advance of the campaign throughout the months. 

From the samples we have collected in Blueliv, we have observed that new samples are continuously being launched. 

During the Spanish campaign we noticed a several changes in the TTPs, at first AutoIT was used to hide the Mekotio DLL. 

But some of the MSIs that supplanted entities such as Endesa, DHL and Energía XXI, instead of using AutoIT to perform the DLL side-loading technique, began to make use of tools related to Daemon Tools. 

Later on, during this campaign, we observed that the TTPs were changed again and AutoHotkey was used to load the Mekotio DLL into memory, in addition to the MSIs deploying 32 and 64 bit samples. 

These changes are still in use to this date. 

The BTC Addresses related to this campaign are the following: 

• 16odfekbni6DKPaxZbWZt8qqA9wTPPR5Fg (shared with some samples found in the Chilean campaign) 
• 1PkVmYNiT6mobnDgq8M6YLXWqFraW2jdAk 

• 1B6zPQ2xFSNpXaxzTBDVifPvBEJsjtjG63 (shared with some samples found in the Italian Campaign) 

The Mekotio samples targets users from Chilean, Brazilian, Peruvian, Spanish financial institutions and some BTC exchanges.

Italian campaign 

This campaign is carried out from July 2020 and is currently running. 

The Ministero delle Infrastrutture e dei Trasporti is impersonated via email spoofing:

Email spoofing for the department of Transport

In this case, AutoHotkey is used to perform DLL Side-loading, and 32 and 64 bits samples are found. 

The BTC Address related to this campaign is the following: 

• 1B6zPQ2xFSNpXaxzTBDVifPvBEJsjtjG63 (shared with some samples in the Spanish Campaign) 

The Mekotio samples targets users from Chilean, Brazilian, Peruvian, Spanish and Italian financial institutions and some BTC exchanges.

Links between campaigns 

We found relationships between the different campaigns at different levels. 

In addition to the fact that these campaigns have the same TTPs, share BTC addresses between campaigns and in some cases even the domain of the C2 ARP, we found more links between them. 

For example, MSIs from different campaigns downloaded the malicious components from the same domains, as shown below:

Chilean campaign: 

• hxxp://vergaralandscaping[.]com/home/docs/download/opsessentaeoi8.ghr 

Spanish campaign: 

• hxxp://vergaralandscaping[.]com/home/es/essixtyetres.djx 
• hxxps://blog[.]einsteinclasses[.]com/downloads/ezemetrhirtiiseixa.djx 
• hxxps://blog[.]einsteinclasses[.]com/downloads/ezemetrhirtiiseixb.djx 

Italian campaign: 

• hxxps://blog[.]einsteinclasses[.]com/downloads/initizerooneita.djx 
• hxxps://blog[.]einsteinclasses[.]com/downloads/initizerooneitb.djx 

This is a small sample of the relationships that the different campaigns had at this level. 

We also found relationships between the emails used in spam campaigns: 

Similar phishing used in both campaign

In this example it can be seen how the same email template is used in the Spanish campaign of the DGT and the Italian campaign of the Ministry of Infrastructure and Transport.

Timeline 

During the research, it was noted that the campaigns have an estimated duration of three to five months. 

The change in TTPs, the deployment of new samples almost every day and the use of multi-stage attacks allows the actor’s attacks to have low detection for enough time to carry out their operations. 

During the Spanish campaign, we detected the beginning of the campaign in Italy and observed how the samples related to this actor that were targeting Spain were no longer deployed (or at least we were not collecting them). 

At that time, we thought that the Spanish campaign could have finished, and that the actor had shifted his focus to Italy. 

But since then we have seen how the campaign in Spain is still going on, even adding new Spanish financial institutions as targets.

Mekotio RAT servers 

During the campaign, the C2 used as infection counter changes frequently, while the RAT C2 remains unchanged throughout the campaign since Mekotio only establishes the connection with the RAT C2 if the user navigates to the target website. 

Therefore, typical sandboxes will not get these C2s unless they can extract and decrypt the information from memory. 

Rooty Dolphin connection 

Thanks to our data extraction capabilities, we have been able to link the information in the way described below. 

The campaigns with the following identifiers: 

• OP[0-9]{2,3}–[day]-[month] 
• ES[0-9M]{2,3}–[day]-[month] 
• IT[0-9]{2,3}–[day]-[month] 
• Y[0-9]{2,3}–[day]-[month] 
• LLW[0-9]{3}–[day]-[month] 
• SC–[day]-[month] 
• ST–[day]-[month] 
• WS[0-9]{3}–[day]-[month] 
• [0-9]{3}–[day]-[month] (Grouped in the graph by 1XX-5XX) 

Are linked by:

• Key to decipher the strings 5VANV4SDMC3VEAFR8S2M3M9U6WRH3P7FDD9T9Q10IAG5WZJ5K
  
• Mekotio remote control commands 
• Domains used as infection counters 
• Domains used for Mekotio remote control 
• BTC Addresses 

 By connecting all this data in a graph, it is easy to see that there are relationships between the different campaigns: 

Relationship between campaigns

Only samples that share the same decryption key, same nomenclature in the commands and have been distributed in a similar way have been used to generate the graph. 

As it can be appreciated there are relationships between the infection domains, remote control domains and BTC address, which allowed us to determine if the samples are from the same actor or group of actors. 

Highlight of Rooty Dolphin campaigns

On the right side we found Rooty Dolphin campaigns ids (OP, ES/ESM and IT), they share the BTC address, some control panels (used only for the call home) and some RAT domains. 

Rooty dolphin campaign graph

And using this is possible to find another kind of campaigns related to this actor, such as the one with ST and Y campaign id.  

Using these constraints, we have been able to link Rooty Dolphin actor at sample level. 

Analyzing the origin of the samples on the left side, we have found that these samples are related to different campaigns, that uses different emails, uses different control panel (dropper, infection counter and RAT) and have a different campaign ID. 

Relationship numeric campaigns

But these samples have the same the decryption key, the same remote control commands and the same targets. 

When we analyzed the Italian samples from Rooty Dolphin, we found that these samples have the same targets that we have found in other samples not related with Rooty Dolphin. Moreover, these campaigns evolve at the same pace, implementing the same techniques such as moving from AutoIT to AutoHotkey or deploying 64 bits Mekotio. 

Based only on the similarities between samples used in apparently unrelated campaigns, Rooty Dolphin could be part of a bigger group, but if we take into account the differences between the campaigns themselves, such as the infrastructure used, and the modus operandi, such as the use of FreeDNS services and Microsoft Cloud, versus using his own domains, among other differences, Rooty Dolphin could be an independent operator that is acquiring the tools from the same provider as the rest of actors using Mekotio.

Conclusions 

Rooty Dolphin has carried out campaigns in Italy, Spain and Chile, some of them are still active, using PHISHING as an entry vector impersonating trusted entities for the user, due to an incorrect configuration of SPF and DMARC by the supplanted entities. 

As a result of the monitoring carried out and our capabilities to extract information from the different samples, we have observed the fast evolution of the campaigns and how each stage is constantly updated, complicating the detection tasks and allowing these samples not to be marked as malicious for days. 

We have seen that Rooty Dolphin samples share TTPs with other samples not related to this actor. It is possible that Rooty Dolphin is part of a large group or there are different operators getting the tools to deploy their attacks from the same provider. 

You can find all of the IOCs related to Rooty Dolphin in our community.

Targeted Banks 

Countries and regions targeted by Rooty Dolphin

Regarding the affectation, looking the strings that contain the samples, which refer to the financial institutions, we have found that the targeted entities belong mostly to Italy, Spain, Chile, Brazil and Peru: 

This blog post was authored by Carlos Rubio and Jose Miguel Esparza, supported by the Blueliv Labs team 

The post Rooty Dolphin uses Mekotio to target bank clients in South America and Europe appeared first on Blueliv.

Recent Articles By Author

• The Russia-Ukraine crisis shakes up the cybercriminal ecosystem
• Best of 2021 – State of Underground Card Shops in 2021
• ShinyHunters leaks Wirecard Brasil data

More from Blueliv Labs

*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Blueliv Labs. Read the original post at: https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/