Experts Issue Alert on Mekotio Banking Trojan Targeting Nations in Latin America
Financial organizations in Latin America face a threat from a banking trojan known as Mekotio (also referred to as Melcoz).
This information stems from discoveries made by Trend Micro. They have identified a recent upsurge in cyber assaults distributing this Windows malware.
Mekotio, which has been operable since 2015, is recognized for targeting countries in Latin America such as Brazil, Chile, Mexico, Spain, Peru, and Portugal with the goal of pilfering banking login credentials.
Initially brought to light by ESET in August 2020, this trojan is part of a quartet of banking trojans focusing on this region, including Guildma, Javali, and Grandoreiro. The last of these was taken down by law enforcement earlier this year.
“Mekotio exhibits common characteristics seen in this category of malware, such as being crafted in Delphi, employing counterfeit pop-up windows, containing covert backdoor capabilities, and having a target audience of Spanish- and Portuguese-speaking countries,” the Slovakian cybersecurity firm reported.
In July 2021, the operation of this malware took a hit when Spanish authorities apprehended 16 individuals linked to a criminal network engaged in executing social manipulation schemes focusing on European users, which led to the distribution of Grandoreiro and Mekotio.
The attack strategies involve the use of phishing emails with tax-themed content designed to deceive recipients into accessing malevolent attachments or clicking on counterfeit links leading to the deployment of an MSI installer file. This file, in turn, runs an AutoHotKey (AHK) script to launch the malware.
 |
| The Red Mongoose Daemon Infection Chain |
It’s important to note that the infection approach differs slightly from one previously detailed by Check Point in November 2021. The latter involved an obfuscated batch script running a PowerShell script to download a secondary ZIP file housing the AHK script.
Upon installation, Mekotio gathers system data and establishes communication with a command-and-control (C2) server for further directives.
The primary aim is to extract banking credentials by displaying deceptive pop-ups resembling genuine banking portals. It can also capture screen snapshots, record keystrokes, pilfer clipboard data, and secure a presence on the host through scheduled tasks.
The stolen data can then be exploited by threat actors to illicitly access users’ bank accounts and conduct unauthorized transactions.
“The Mekotio banking trojan poses a persistent and evolving threat to financial systems, particularly in Latin American territories,” Trend Micro emphasized. “It leverages phishing emails as an entry point to infiltrate systems, aiming to extract sensitive data while maintaining a firm grip on compromised systems.”
This development coincides with Mexican cybersecurity firm Scitum disclosing information about a novel Latin American banking trojan dubbed Red Mongoose Daemon, which, akin to Mekotio, utilizes MSI droppers circulated via phishing emails impersonating invoices and tax documents.
“Red Mongoose Daemon’s principal objective is to seize victims’ banking information by mimicking PIX transactions through overlapping interfaces,” as outlined by the company statement. “This trojan is designed for Brazilian end users and staff members of entities handling banking data.”
“Red Mongoose Daemon boasts features for manipulating and generating windows, executing commands, remotely controlling computers, manipulating web browsers, intercepting clipboards, and masquerading as Bitcoin wallets by substituting copied wallets with those utilized by cybercriminals.”
About Author
