a well-known banking trojan is still active in AL

ESET discusses a recent campaign attempting to distribute the well-known Mekotio banking Trojan, a malware that is still active and targeting several Latin American countries.

Photo: CASE.

Central America. Mekotio is malware that aims to steal financial information, mainly credentials to access bank accounts or steal credit card data.

It was detected for the first time in 2015 and in 2023 it continues with significant activity in several Latin American countries. ESET has analyzed a recent campaign that attempted to infect victims with this malware.

Mekotio is part of the list of banking Trojans in Latin America, a family of malicious programs that have the ability to perform different actions that stand out for impersonating banks through fake pop-up windows. In this way, they steal sensitive information from the victims.

In 2021, Spanish security forces arrested 16 people linked to the Mekotio and Grandoreiro banking Trojans. It is believed that the Mekotio developers were collaborating with other cybercriminal groups, which explains why this malware is still so active.

So far in 2023, more than 70 variants of this banking Trojan have been detected. In Latin America, the detections of ESET systems show that Argentina (52%) is the country with the most activity in this Mekotio, followed by Mexico (17%), Peru (12%), Chile (10%) and Brazil ( 3%).

ESET recently analyzed a campaign distributed by Mekotio through emails (malspam) that use the issuance of an alleged invoice as a lure and impersonate the identity of a well-known multinational company in Mexico. The body of the email contains the instruction to “open on a Windows computer”. This is probably related to the fact that the malware is targeted at this operating system.

The message includes a link that, if clicked, downloads a compressed file (ID-FACT.1684803774.zip) that pretends to be the supposed invoice, but when it is uncompressed, a Windows installation (MSI) file is extracted. This file contains several items. Among them, a DLL file containing a variant of the Mekoti malware, which in this case is detected by ESET security solutions as Win32/Spy.Mekotio.GO.

“In addition to stealing financial information, Mekotio is a Trojan that is capable of performing other malicious actions on the compromised computer. For example, it is capable of collecting information such as the operating system running on the victim’s computer, installed anti-fraud or anti-malware solutions. Likewise, the malware tries to stay hidden on the infected computer using boot registry keys and offers attackers typical backdoor capabilities,” says Camilo Gutiérrez Amaya, head of the ESET Latin America Research Laboratory.

Among ESET’s recommendations to avoid being victims of these attacks, the first is do not click on links or attachments that arrive unexpectedly. Besides, count on the computer or smartphone with a security program or application that offers antispam tools that block and eliminate these malspam emails and in any case that detect the malicious program and prevent its installation.