Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Fiscal institutions in Latin The united states are getting threatened by a banking trojan referred to as Mekotio (aka Melcoz).

That’s according to conclusions from Pattern Micro, which reported it not too long ago noticed a surge in cyber attacks distributing the Windows malware.

Mekotio, acknowledged to be actively put to use considering the fact that 2015, is recognised to focus on Latin American nations like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an goal to steal banking credentials.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

Initially documented by ESET in August 2020, it is really component of a tetrade of banking trojans concentrating on the location Guildma, Javali, and Grandoreiro, the latter of which was dismantled by law enforcement earlier this yr.

“Mekotio shares common qualities for this variety of malware, this sort of as being prepared in Delphi, utilizing faux pop-up windows, made up of backdoor operation and targeting Spanish- and Portuguese-talking international locations,” the Slovakian cybersecurity company claimed at the time.

The malware operation suffered a blow in July 2021 when Spanish regulation enforcement businesses arrested 16 individuals belonging to a felony network in relationship with orchestrating social engineering strategies targeting European customers that sent Grandoreiro and Mekotio.

Attack chains contain the use of tax-themed phishing e-mails that intention to trick recipients into opening destructive attachments or clicking on bogus hyperlinks that lead to the deployment of an MSI installer file, which, in switch, helps make use of an AutoHotKey (AHK) script to start the malware.

It’s worth noting that the an infection process marks a slight deviation from the one particular earlier in depth by Check out Issue in November 2021, which made use of an obfuscated batch script that operates a PowerShell script to obtain a next-stage ZIP file containing the AHK script.

As soon as installed, Mekotio harvests process information and establishes make contact with with a command-and-regulate (C2) server to receive even more guidance.

It’s key goal is to siphon banking credentials by exhibiting phony pop-ups that impersonate authentic banking web sites. It can also seize screenshots, log keystrokes, steal clipboard knowledge, and create persistence on the host making use of scheduled responsibilities.

The stolen details can then be made use of by the menace actors to get unauthorized access to users’ lender accounts and conduct fraudulent transactions.

“The Mekotio banking trojan is a persistent and evolving threat to fiscal methods, specifically in Latin American international locations,” Craze Micro said. “It works by using phishing email messages to infiltrate methods, with the target of stealing delicate information even though also keeping a solid foothold on compromised devices.”

The development comes as Mexican cybersecurity firm Scitum disclosed information of a new Latin American banking trojan codenamed Purple Mongoose Daemon that, comparable to Mekotio, utilizes MSI droppers distributed via phishing e-mails masquerading as invoices and tax notes.

“The main objective of Purple Mongoose Daemon is to steal victims’ banking data by spoofing PIX transactions by way of overlapping windows,” the corporation mentioned. “This trojan is aimed at Brazilian close consumers and personnel of organizations with banking information.”

“Red Mongoose Daemon has capabilities for manipulating and developing windows, executing instructions, managing the laptop remotely, manipulating web browsers, hijacking clipboards, and impersonating Bitcoin wallets by changing copied wallets with the ones employed by cybercriminals.”

Discovered this short article interesting? Comply with us on Twitter  and LinkedIn to examine a lot more special material we write-up.