Financial institutions in Latin America are facing threats from the Mekotio banking trojan, also known as Melcoz. The researchers reports a recent surge in cyberattacks distributing this Windows malware.
Mekotio, active since 2015, targets countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal, aiming to steal banking credentials.
First documented in August 2020, Mekotio is part of a group of banking trojans targeting the region, alongside Guildma, Javali, and Grandoreiro, the latter of which was dismantled by law enforcement earlier this year.
“Mekotio shares common characteristics with other malware of this type, such as being written in Delphi, using fake pop-up windows, containing backdoor functionality, and targeting Spanish- and Portuguese-speaking countries,” the researcher said at the time.
In July 2021, Spanish law enforcement agencies arrested 16 individuals connected to a criminal network orchestrating social engineering campaigns that delivered Grandoreiro and Mekotio to European users.
The attack chains typically involve tax-themed phishing emails designed to trick recipients into opening malicious attachments or clicking bogus links, leading to the deployment of an MSI installer file that uses an AutoHotKey (AHK) script to launch the malware.
This infection process marks a slight deviation from a method detailed by Check Point in November 2021, which used an obfuscated batch script to run a PowerShell script, downloading a second-stage ZIP file containing the AHK script.
Once installed, Mekotio harvests system information and establishes contact with a command-and-control (C2) server to receive further instructions. Its primary objective is to steal banking credentials by displaying fake pop-ups that impersonate legitimate banking sites. Mekotio can also capture screenshots, log keystrokes, steal clipboard data, and establish persistence on the host using scheduled tasks.
The stolen information enables threat actors to gain unauthorized access to users’ bank accounts and perform fraudulent transactions.
“The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries,” researcher stated. “It uses phishing emails to infiltrate systems, with the goal of stealing sensitive information while maintaining a strong foothold on compromised machines.”
This development follows Mexican cybersecurity firm Scitum’s disclosure of a new Latin American banking trojan called Red Mongoose Daemon, which, similar to Mekotio, uses MSI droppers distributed via phishing emails masquerading as invoices and tax notes.
To protect against the Mekotio banking trojan, financial institutions should employ multi-layered security strategies, including the use of anti-malware and anti-phishing tools. Regularly updating all software and systems can prevent exploitation of known vulnerabilities.
Additionally, continuous network monitoring and incident response planning, can help in early detection and mitigation of threats.