Financial institutions across Latin America are facing a significant threat from a banking trojan named Mekotio (also known as Melcoz).
According to findings from Trend Micro, there has been a notable increase in cyber attacks distributing this Windows-based malware.
Mekotio, which has been actively operational since 2015, specifically targets countries such as Brazil, Chile, Mexico, Spain, Peru, and Portugal with the intent to pilfer banking credentials.
Initially documented by ESET in August 2020, Mekotio is part of a quartet of banking trojans focusing on the region, alongside Guildma, Javali, and Grandoreiro—the latter of which was recently dismantled by law enforcement earlier this year.
“Sharing characteristics typical of such malware, Mekotio is coded in Delphi, utilizes deceptive pop-up windows, includes backdoor functionalities, and focuses on Spanish- and Portuguese-speaking regions,” stated the Slovakian cybersecurity firm.
The malware’s operations suffered a setback in July 2021 when Spanish law enforcement apprehended 16 individuals linked to a criminal network engaged in social engineering campaigns. These campaigns targeted European users and facilitated the distribution of Grandoreiro and Mekotio.
The attack vectors often begin with tax-themed phishing emails designed to deceive recipients into opening malicious attachments or clicking on counterfeit links. These actions trigger the deployment of an MSI installer file, which subsequently executes an AutoHotKey (AHK) script to introduce the malware.
It’s noteworthy that the infection process deviates slightly from methods previously outlined by Check Point in November 2021. Their analysis highlighted the use of an obfuscated batch script initiating a PowerShell script to download a second-stage ZIP file containing the AHK script.
Once installed, Mekotio collects system data and connects with a command-and-control (C2) server to receive further directives.
Its primary objective is to capture banking credentials through fraudulent pop-ups impersonating legitimate banking websites. Additionally, it can take screenshots, log keystrokes, capture clipboard data, and establish persistence on compromised systems via scheduled tasks.
“The Mekotio banking trojan represents a persistent and evolving threat to financial infrastructures, particularly in Latin America,” cautioned Trend Micro. “It leverages phishing tactics to infiltrate systems, aiming to pilfer sensitive information while maintaining a robust foothold on compromised machines.”
This development coincides with revelations from Mexican cybersecurity firm Scitum regarding a new banking trojan in Latin America codenamed Red Mongoose Daemon. Similar to Mekotio, this trojan deploys MSI droppers through phishing emails disguised as invoices and tax notices.
“Red Mongoose Daemon is designed to steal banking information by mimicking PIX transactions through overlapping windows,” the company elaborated. “It specifically targets Brazilian end users and employees of organizations holding financial data.”
“Red Mongoose Daemon boasts functionalities including window manipulation, command execution, remote computer control, browser manipulation, clipboard hijacking, and the substitution of copied Bitcoin wallet addresses with those controlled by cybercriminals.”