Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Summary:
A recent surge in attacks by the Mekotio banking trojan has been identified, particularly targeting financial institutions in Latin America since at least 2015. This malware primarily targets users in Brazil, Chile, Mexico, Spain, Peru, and Portugal with the intention of stealing banking credentials. Believed to be part of a larger group of Latin American banking trojans, Mekotio leverages tax-themed phishing emails with social engineering tactics to trick victims into clicking on malicious links or opening attachments. These attachments typically contain an MSI installer that launches the malware through an AutoHotKey script. This infection chain is dissimilar to the Mekotio campaign detailed by Check Point in 2021 in that this infection chain doesn’t utilize a second-stage ZIP file to distribute the payload. Once installed, Mekotio gathers system information and connects with a command-and-control server for further instructions. The malware then displays fake pop-up windows mimicking legitimate banking sites to steal login credentials. It also has the ability to capture screenshots, log keystrokes, steal clipboard data, and establish persistence on the infected machine. The stolen credentials can then be used by attackers to gain unauthorized access to victims' bank accounts and conduct fraudulent transactions.

Security Officer Comments:
The continued presence of Mekotio since 2015 highlights the evolving threat arsenal targeting Latin American financial institutions in the last decade. This malware demonstrates the increasing sophistication of cybercriminal attacks, which combine phishing tactics with social engineering to gain unauthorized access to sensitive financial data. The emergence of similar malware like Red Mongoose Daemon further emphasizes the need for heightened vigilance. Financial institutions and individuals in Latin America should be particularly cautious of phishing emails, especially those related to taxes or invoices. Employing robust security practices such as email sender verification, avoiding suspicious links and attachments, and utilizing strong cybersecurity solutions are crucial in mitigating the risk of Mekotio infection.

Suggested Corrections:
IOCs for this campaign are published here.

Trend Micro’s Recommendations for Suggested Corrections:

Being skeptical of unsolicited emails:
  • Users should verify the sender’s email address, look for spelling and grammar mistakes, and scrutinize subject lines.
Avoiding clicking on links and downloading attachments:
  • Users should hover over links to check URLs and avoid downloading attachments in general unless absolutely certain of the sender’s identity.
Verifying sender identity:
  • Users should directly contact the sender using known contact details and compare the email with previous correspondence if they suspect that the email might be malicious.
Using email filters and anti-spam software:
  • Organizations should ensure that spam filters and other security tools are turned on and are up to date.
Reporting phishing Attempts:
  • Users should report phishing attempts to their IT and security teams when applicable.
Educating employees on security best practices:
  • Organizations should educate their employees on phishing and social engineering tactics, as well as conduct regular phishing awareness training.
Link(s):
https://thehackernews.com/2024/07/experts-warn-of-mekotio-banking-trojan.html

https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html