Mekotio Trojan Targets Latin American Banking Credentials

Written by

A new analysis has shed light on the threat posed by the Mekotio banking trojan, a sophisticated piece of malware primarily targeting Latin American countries since at least 2015. 

Designed to steal sensitive information, particularly banking credentials, Mekotio has been especially active in Brazil, Chile, Mexico, Spain and Peru. This malware shares its origins with other notable Latin American banking malware strains like Grandoreiro, which was disrupted by law enforcement earlier this year. 

Mekotio typically spreads through phishing emails that employ social engineering tactics to deceive users into engaging with malicious links or attachments.

According to an advisory published by Trend Micro, the trojan has often been observed masquerading as communications from tax agencies, suggesting that recipients have unpaid obligations. These phishing emails contain a ZIP file attachment or a link to a harmful site. 

Upon user interaction, the malware is downloaded and executed on their system. In a typical case, the attachment is a PDF file with an embedded malicious link. Once activated, Mekotio collects system information and establishes a connection with a command-and-control (C2) server, which directs the malware's actions.

Mekotio's primary objective is to steal banking credentials. It accomplishes this by displaying fake pop-ups that mimic legitimate banking sites, tricking users into entering their details, which are then harvested. 

In addition to credential theft, Mekotio can capture screenshots, log keystrokes, and steal clipboard data. To achieve persistence, the trojan uses tactics such as adding itself to startup programs or creating scheduled tasks. The stolen information is sent back to the C2 server, enabling malicious actors to use it for fraudulent activities, such as unauthorized access to bank accounts.

Read more on phishing attacks: Report Reveals 341% Rise in Advanced Phishing Attacks

Trend Micro's Mitigation Recommendations

Trend Micro warned that mitigating the risks associated with Mekotio requires adherence to proper security best practices, particularly those focused on email-borne threats. 

Users should be wary of unsolicited emails, verify the sender's address and check for spelling and grammar mistakes in the messages. They should avoid clicking on links and downloading attachments unless absolutely sure of their legitimacy is advised. Hovering over links to check URLs and directly contacting senders using known contact details can also prevent phishing attempts. 

Additionally, employing email filters and anti-spam software and reporting suspicious emails to IT and security teams are effective strategies. Regular phishing awareness training for employees is also recommended to bolster defenses against such social engineering tactics.

"The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries," reads the advisory.

"By adhering to recommended security practices [...] individuals and organizations can significantly reduce the risk of falling victim to this dangerous malware."

What’s hot on Infosecurity Magazine?