Cyber Threats
Recently, there has been a surge in assaults involving the Mekotio banking trojan. In this blog post, we’ll give an outline of the trojan and its operations.
Read time: ( words)
The Mekotio banking trojan is a highly advanced piece of malicious software that has been in operation since at least 2015. It primarily targets countries in Latin America with the primary aim of pilfering vital information, especially banking credentials, from its objectives. Originating in the Latin American area, it has found significant success in Brazil, Chile, Mexico, Spain, and Peru. Additionally, it appears that Mekotio has ashared origin with other significant Latin American banking malware such asGrandoreiro, which was halted by law enforcement earlier this year. Mekotio is often spread through deceptive emails, utilizing social engineering techniques to deceive users into interacting with malevolent links or attachments.
We’ve recently observed a spike in assaults related to Mekotio among our clientele. In this blog post, we’ll give an overview of the trojan and its operations.
Figure 1 demonstrates the progression of a Mekotio contamination:
Mekotio usually arrives through emails posing as tax agencies claiming that the recipient has unsettled tax obligations. These emails include a ZIP file attachment or a link to a malicious website. Once the recipient interacts with the email,The malicious software gets downloaded and run on their system. In our examination, the attachment is identified as a PDF document that holds the harmful link.
When launched, Mekotio collects system details and makes a connection with a command- and-control (C&C) server. This server provides commands and a set of tasks for the malware to execute.
Once within the system, Mekotio carries out these destructive actions:
- Credential Theft: Mekotio’s primary purpose is to pilfer banking credentials. It accomplishes this by showcasing counterfeit pop-ups that imitate legitimate banking platforms, misleading users into sharing their information, which the trojan subsequently gathers.
- Information Gathering: Mekotio can record screenshots, log keystrokes, and snatch clipboard data.
- Persistence Mechanisms: Mekotio employs different strategies to uphold its presence on the compromised system, such as inserting itself into startup programs or setting up scheduled tasks.
The stolen banking information is transmitted back to the C&C server, where it can be utilized further by malevolent actors for illicit actions, like gaining unauthorized access to bank accounts.
To shield themselves from threats mainly distributed via email, users can adhere to sound security practices. These encompass the following:
- Exercising caution with unsolicited emails
- Users must validate the sender’s email address, scan for spelling and grammar errors, and scrutinize subject lines.
- Avoiding clicking on hyperlinks and downloading attachments
- Users should hover over links to inspect URLs and evade downloading attachments unless certain of the sender’s identity.
- Confirming sender authenticity
- Users ought to directly reach out to the sender using known contact details and cross-check the email against prior communication if suspicions of malicious intent arise.
- Utilizing email filters and anti-spam programs
- Organizations should guarantee that spam filters and other security tools are activated and up to date.
- Reporting phishing Activities
- Users should inform their IT and security teams about phishing attempts when appropriate.
- Educating staff on security best practices
- Businesses should educate their staff on phishing and social engineering strategies, as well as offer regular phishing awareness training.
The Mekotio banking trojan poses a persistent and developing threat to financial systems, particularly in Latin American regions. It leverages phishing emails to infiltrate systems, aiming to seize sensitive information while also retaining a firm grip on compromised devices. By adhering to endorsed security practices such as verifying email legitimacy, avoiding dubious links and attachments, and deploying robust cybersecurity solutions, individuals and organizations can considerably diminish the risk of succumbing to this perilous malware.
Indicators of Compromise
The indicators of compromise for this entry can be accessed here.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
