The operators behind the Mekotio banking Trojan have resurfaced with a shift in its infection flow in order to stay under the radar and evade security software, while staging nearly 100 attacks in the past three months.
âOne of the main characteristics [â¦] is the modular attack that gives attackers the ability to modify only a small part of the whole in order to avoid detection, âresearchers from Check Point Research said in a report shared with The Hacker News. The latest wave of attacks would primarily target victims located in Brazil, Chile, Mexico, Peru and Spain.
This development comes after Spanish law enforcement in July 2021 arrested 16 people belonging to a criminal network in connection with the exploitation of Mekotio and another banking malware called Grandoreiro as part of a campaign to social engineering targeting financial institutions in Europe.
The evolved version of the Mekotio malware strain is designed to compromise Windows systems with a chain of attack that begins with phishing emails masquerading as pending tax receipts and containing a link to a ZIP file or a ZIP file attached. Clicking on open ZIP archive triggers the execution of a batch script which, in turn, runs a PowerShell script to download a second step ZIP file.
This secondary ZIP file contains three different files: an AutoHotkey Interpreter (AHK), an AHK script, and the Mekotio DLL payload. The aforementioned PowerShell script then calls the AHK interpreter to run the AHK script, which runs the DLL payload to steal passwords from online banking portals and exfiltrate the results to a remote server.
Malicious modules are characterized by the use of simple obfuscation techniques, such as substitution ciphers, which gives the malware enhanced stealth capabilities and allows it to go undetected by most antivirus solutions.
“There is a very real danger that banker Mekotio will steal usernames and passwords, in order to enter financial institutions,” said Kobi Eisenkraft of Check Point. “Therefore, the arrests stopped the activity of Spanish gangs, but not the main cybercrime groups behind Mekotio.”
Latin American users are strongly recommended to use two-factor authentication to protect their accounts from takeover attacks, and be careful of similar domains, spelling errors in emails or websites and emails from unknown senders.