Financial institutions in Latin America are facing threats from a banking trojan known as Mekotio (aka Melcoz).
According to Trend Micro, there has been a recent surge in cyber attacks distributing this Windows malware.
Mekotio, actively used since 2015, targets countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal, aiming to steal banking credentials.
First documented by ESET in August 2020, Mekotio is part of a group of banking trojans targeting the region, which includes Guildma, Javali, and Grandoreiro, the latter of which was dismantled by law enforcement earlier this year.
Cybersecurity
“Mekotio shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows, containing backdoor functionality, and targeting Spanish- and Portuguese-speaking countries,” the Slovakian cybersecurity firm said at the time.
The malware operation suffered a blow in July 2021 when Spanish law enforcement agencies arrested 16 individuals connected to a criminal network orchestrating social engineering campaigns that targeted European users, delivering Grandoreiro and Mekotio.
The attack chains involve tax-themed phishing emails designed to trick recipients into opening malicious attachments or clicking on bogus links that lead to the deployment of an MSI installer file, which then uses an AutoHotKey (AHK) script to launch the malware.
The Red Mongoose Daemon Infection Chain
The infection process marks a slight deviation from the one previously detailed by Check Point in November 2021, which used an obfuscated batch script that ran a PowerShell script to download a second-stage ZIP file containing the AHK script.
Once installed, Mekotio harvests system information and establishes contact with a command-and-control (C2) server to receive further instructions.
Its main objective is to steal banking credentials by displaying fake pop-ups that impersonate legitimate banking sites. It can also capture screenshots, log keystrokes, steal clipboard data, and establish persistence on the host using scheduled tasks.
Cybersecurity
The stolen information is then used by threat actors to gain unauthorized access to users’ bank accounts and perform fraudulent transactions.
“The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries,” Trend Micro said. “It uses phishing emails to infiltrate systems with the goal of stealing sensitive information while maintaining a strong foothold on compromised machines.”
The development comes as Mexican cybersecurity firm Scitum disclosed details of a new Latin American banking trojan codenamed Red Mongoose Daemon. Similar to Mekotio, it utilizes MSI droppers distributed via phishing emails masquerading as invoices and tax notes.
“The main objective of Red Mongoose Daemon is to steal victims’ banking information by spoofing PIX transactions through overlapping windows,” the company said. “This trojan targets Brazilian end users and employees of organizations with banking information.”
class=”x_elementToProof”>”Red Mongoose Daemon can manipulate and create windows, execute commands, control the computer remotely, manipulate web browsers, hijack clipboards, and impersonate Bitcoin wallets by replacing copied wallets with those used by cybercriminals.”
.According to Trend Micro, there has been a recent surge in cyber attacks distributing this Windows malware.Mekotio, actively used since 2015, targets countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal, aiming to steal banking credentials.){kind=link}