Financial institutions across Latin America are facing threats from a banking trojan known as Mekotio (also referred to as Melcoz).
Recent findings from Trend Micro highlight a surge in cyberattacks involving the Windows-based malware.
Active since 2015, Mekotio targets countries such as Brazil, Chile, Mexico, Spain, Peru, and Portugal, aiming to steal banking credentials.
First documented by ESET in August 2020, it belongs to a group of banking trojans that includes Guildma, Javali, and Grandoreiro—the latter was dismantled by law enforcement earlier this year.
“Mekotio exhibits common traits of this malware type, including being written in Delphi, using fake pop-up windows, having backdoor functionality, and targeting Spanish- and Portuguese-speaking countries,” stated the Slovakian cybersecurity firm.
The operation suffered a setback in July 2021 when Spanish law enforcement arrested 16 individuals linked to a criminal network responsible for social engineering campaigns targeting European users with Grandoreiro and Mekotio.
These attacks typically use tax-themed phishing emails to lure recipients into opening malicious attachments or clicking fake links, leading to the deployment of an MSI installer file. This file then utilizes an AutoHotKey (AHK) script to execute the malware.
It’s notable that the infection method shows a slight variation from the process previously detailed by Check Point in November 2021, which involved an obfuscated batch script running a PowerShell script to download a second-stage ZIP file containing the AHK script.
Once Mekotio is installed, it gathers system information and contacts a command-and-control (C2) server for further instructions.
Its primary goal is to steal banking credentials by displaying fake pop-ups that mimic legitimate banking sites. Additionally, it can capture screenshots, log keystrokes, steal clipboard data, and establish persistence on the host through scheduled tasks.
The stolen data enables threat actors to gain unauthorized access to users’ bank accounts and conduct fraudulent transactions.
“The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries,” said Trend Micro. “It uses phishing emails to infiltrate systems with the intent of stealing sensitive information while maintaining a strong presence on compromised machines.”
This development comes as Mexican cybersecurity firm Scitum revealed details of a new Latin American banking trojan named Red Mongoose Daemon. Similar to Mekotio, it uses MSI droppers distributed via phishing emails posing as invoices and tax notes.
“The main objective of Red Mongoose Daemon is to steal victims’ banking information by spoofing PIX transactions through overlapping windows,” the company stated. “This trojan targets Brazilian end users and employees of organizations with banking information.”
“Red Mongoose Daemon can manipulate and create windows, execute commands, control computers remotely, manipulate web browsers, hijack clipboards, and impersonate Bitcoin wallets by replacing copied wallet addresses with those used by cybercriminals.”
Source: TheHackerNews
