Mekotio banking trojan operators have resurfaced as a noticeable shift in its infection flow has been made in order to stay under the radar and evade security software, while it stages nearly 100 attacks over the last 3 months.
The modular attack is one of its main characteristics as it gives attackers the ability to change only a small part of the whole in order to avoid detection. This latest wave of attack is said to be primarily targeting victims located in Brazil, Peru, Spain and Mexico.
This follows after arrests made by Spanish law enforcement agencies in July 2021 where 16 individuals belonging to a criminal network in connection with operating Mekotio and Grandoreiro (another banking malware) as part of a social engineering campaign targeting financial institutions in Europe.
The evolved version of the Mekotio malware strain is made for compromising Windows systems with an attack chain that commences via phishing emails disguised as pending tax receipts and containing a link to a ZIP file or a ZIP file as an attachment. Opening the ZIP archive triggers the execution of a batch script that, in turn, runs a PowerShell script to download a second-stage ZIP file.
This secondary ZIP file houses three different files — an AutoHotkey (AHK) interpreter, an AHK script, and the Mekotio DLL payload. The aforementioned PowerShell script then calls the AHK interpreter to execute the AHK script, which runs the DLL payload to steal passwords from online banking portals and exfiltrate the results back to a remote server.
Usage of substitution ciphers is one of the simple obfuscation technique used by the malicious module thereby giving the malware improved stealth capabilities and enabling it to go undetected by most antivirus solutions.
“There’s a very real danger in the Mekotio banker stealing usernames and passwords, in order to gain entry into financial institutions,” Check Point’s Kobi Eisenkraft said. “Hence, the arrests stopped the activity of the Spanish gangs, but not the main cybercrime groups behind Mekotio.”
Users in Latin America are highly recommended to use two-factor authentication to secure their accounts from takeover attacks, and watch out for lookalike domains, spelling errors in emails or websites, and email messages from unfamiliar senders.