IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Mekotio trojan continues to spread despite its operators’ arrests

Hackers have used it in 100 more attacks since arrests

Red horse image imposed atop a circuitboard

The Mekotio banking trojan continues to be used in new attacks, despite the arrests of people associated with its propagation, according to a new report.

Security researchers at Check Point Research found the malware in new attacks and discovered it uses new tactics to avoid detection.

“The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio distribution in July,” according to Check Point Research (CPR). “It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.”

As soon as the arrests were announced, the Mekotio malware developers — believed to be based in Brazil — quickly updated their malware with new features designed to prevent detection.

Mekotio continues to distribute phishing emails that contain malicious links or malicious .ZIP files.

The phishing email sent to victims claims there is a digital tax receipt pending submission.  When the victims click the link in the email, a malicious .ZIP archive is downloaded from a malicious website.

An analysis of more than 100 attacks in recent months revealed the use of a simple obfuscation method and a substitution cipher to bypass detection by cyber security products.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

As well as that, the trojan developers appear to have included a batch file, which has been redesigned with several levels of obfuscation, and a new PowerShell script for malware. It also uses Themida, a legitimate program that prevents the malware from cracking or reverse engineering. With these methods, the final Trojan payload is protected.

Once installed on a victim’s machine, the Mekotio trojan attempts to steal credentials for banks and financial services and transfer them to a criminal-controlled command-and-control (C2) server.

Researchers said that banking trojans are commonplace in Latin America.

“One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection,” researchers said.

“Our analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions, bypass security filtering, and trick users. To protect yourself against this type of attack, be suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document.”

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
MSI to release securer BIOS settings after critical flaw discovered
vulnerability

MSI to release securer BIOS settings after critical flaw discovered

20 Jan 2023
China-backed hackers take down Amnesty International Canada for three weeks
Security

China-backed hackers take down Amnesty International Canada for three weeks

7 Dec 2022
'CryWiper' trojan disguises as ransomware, says Kaspersky
malware

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023