Mekotio Banking Trojan Intensifies Threats Against Latin American Financial Institutions
A serious cybersecurity concern has emerged as banks and financial institutions across Latin America face increasing threats from a malware known as Mekotio, also referred to as Melcoz. Recent findings from cybersecurity firm Trend Micro point to a notable rise in cyber attacks involving this banking trojan, which is specifically engineered to steal banking credentials.
Mekotio has been in operation since 2015 and predominantly targets several countries in Latin America, including Brazil, Chile, Mexico, Spain, Peru, and Portugal. The malware’s primary objective is to acquire users’ banking credentials by exploiting weaknesses through social engineering techniques and phishing campaigns. First documented by ESET in August 2020, Mekotio is categorized alongside other regional banking trojans, such as Guildma, Javali, and Grandoreiro, with the latter encountering significant disruptions after law enforcement actions earlier this year.
This banking trojan exhibits common attributes characteristic of this type of malware. According to Trend Micro, Mekotio is developed using Delphi and utilizes deceptive pop-up windows to masquerade as legitimate banking sites. Additionally, it possesses backdoor capabilities, facilitating unauthorized access to compromised systems. These features allow attackers to harvest sensitive information effectively while maintaining persistence within the infected machines, which aligns with tactics outlined in the MITRE ATT&CK framework.
The mechanics of Mekotio’s operations typically begin with the deployment of tax-themed phishing emails designed to entice recipients into opening contaminated attachments or clicking on malicious links. These actions prompt the execution of an MSI installer file, which utilizes an AutoHotKey script to activate the malware. The infection chain notably differs from previous iterations described by cybersecurity experts, indicating a continual evolution in the tactics employed by its developers.
Once embedded in a target system, Mekotio gathers system information and contacts a command-and-control (C2) server for further instructions. Its nefarious intentions include capturing banking credentials through fake pop-up windows that imitate genuine financial platforms. Additionally, Mekotio is capable of logging keystrokes, taking screenshots, and exfiltrating clipboard data, while ensuring its longevity through scheduled task mechanisms.
In a troubling development for the region, the Mexican cybersecurity firm Scitum has reported the emergence of another banking trojan, named Red Mongoose Daemon. Similar to Mekotio, this trojan employs phishing emails disguised as invoices and tax documentation for its distribution. The focus of Red Mongoose Daemon is on Brazilian users, targeting their PIX transactions by creating misleading windows that can facilitate unauthorized transactions and siphoning sensitive banking information.
The resurgence of Mekotio and the appearance of Red Mongoose Daemon underscore the persistent threat that innovative and adaptable malware poses to financial systems in Latin America. Organizations must be vigilant, adopting robust cybersecurity measures to protect themselves against such evolving threats. Trend Micro emphasizes that the Mekotio banking trojan represents an ongoing and adaptive risk to financial institutions, utilizing sophisticated phishing tactics to infiltrate systems and compromise sensitive data.
In conclusion, the increasing sophistication and proliferation of banking trojans like Mekotio and Red Mongoose Daemon demand heightened awareness among businesses. Companies are urged to strengthen their security posture actively, aligning with best practices informed by the MITRE ATT&CK framework to mitigate risks stemming from these types of cyber threats.
