Home » News » Mekotio Malware: Recent Campaign Targeting Mexico for Financial Information Theft

Mekotio Malware: Recent Campaign Targeting Mexico for Financial Information Theft

We looked at a recent campaign targeting Mexico that attempts to distribute the well-known Mekotio banking Trojan, a malware that is still active and targeting various countries in Latin America.

Mekotio is a malware that was first seen in 2015 and that in 2023 continues with significant activity in several Latin American countries. Its objective is to steal financial information from people, mainly credentials to access bank accounts or steal credit card data. Below we look at a recent campaign targeting Mexico that attempted to infect victims with this malware.

What is Mekothio

Mekotio is part of the list of banking Trojans in Latin America, a family of malicious programs that have the capacity to carry out different malicious actions but that stand out for impersonating banks through false pop-up windows and thus steal sensitive information from the victims. We have taken a detailed look at several of these malware families, which, while their main objective is to steal financial information, also have other capabilities.

In the case of Mekotio, more than 70 variants of this banking Trojan have been detected so far in 2023. Although Spanish security forces arrested 16 people linked to the Mekotio and Grandoreiro banking Trojans in 2021, it is believed that Mekotio’s developers were collaborating with other cybercriminal groups, which explains why this malware remains so active. In Latin America, the detections of ESET systems show that Argentina (52%) is the country with the most activity in this Mekotio, followed by Mexico (17%), Peru (12%), Chile (10%) and Brazil ( 3%).

Image 4. Detections of Mekotio in Latin America (2023).

In addition to Latin American countries, other countries in which detections of this threat have been recorded are Spain, Italy and Ukraine, which shows that they continued to expand their campaigns.

Campaign directed to Mexico

We recently analyzed a campaign distributed by Mekotio that is distributed through emails (malspam) that use the issuance of an alleged invoice as a lure and impersonate the identity of a well-known multinational company in Mexico.

The body of the email contains the instruction to “open on a Windows computer”. This is probably related to the fact that the malware is targeted at this operating system.

Image 1. An email that reached a person in Mexico containing a link that downloads the Mekotio malware.

The message includes a link that, if clicked, downloads a compressed file (ID-FACT.1684803774.zip) that pretends to be the supposed invoice, but when it is unzipped, a Windows installation (MSI) file named FACT646c1 is extracted. .M: Yes. This file contains several items. Among them, a DLL file (Binary.tlsBpYCH.dll) containing a variant of the Mekoti malware, which in this case is detected by ESET security solutions as Win32/Spy.Mekotio.GO.

As we said at the beginning of this post, in addition to stealing financial information, Mekotio is a Trojan that is capable of performing other malicious actions on the compromised computer. For example, it is capable of collecting information such as the operating system running on the victim’s computer, installed anti-fraud or anti-malware solutions. In addition, the malware tries to hide itself on the infected computer using boot registry keys and offers attackers typical backdoor capabilities.

How to be protected from banking Trojans?

Banking Trojan propagation campaigns use Social Engineering components to trick users into downloading and running malware. In this case it is an email that arrives unexpectedly referring to an invoice. Therefore, the first recommendation is not to click on links or attachments that arrive unexpectedly.

On the other hand, having a security program or application on the computer or smartphone that offers antispam tools that block and eliminate these malspam emails and, in any case, that detect the malicious program and prevent its installation.

2023-06-02 10:41:57


#Mekotio #wellknown #banking #trojan #active #Latin #America #WeLiveSecurity

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.