Mekotio Banking Trojan Attacking American Users To Steal Financial Data

Active since 2015, Mekotio is a Latin American banking trojan specifically designed to target financial data in regions like Brazil, Chile, Mexico, Spain, and Peru. It exhibits links to the recently disrupted Grandoreiro malware, both likely originating from the same source. 

Mekotio utilizes phishing emails as its primary infection vector. These emails incorporate social engineering tactics to manipulate users into interacting with malicious links or opening attachments. 

Once compromised, a system employs various techniques to steal banking credentials, including logging keystrokes, capturing screenshots, and pilfering clipboard data.

- Advertisement -

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Mekotio uses persistence mechanisms to guarantee its presence on the infected machine.

A banking trojan targets users through phishing emails disguised as tax agency notifications, which contain ZIP attachments or malicious links. 

Once a user interacts, a PDF attachment opens a malicious link that downloads and executes Mekotio, and upon execution, it gathers system information and connects to a command-and-control server for instructions and tasks. 

Mekotio targets financial information after gaining access to a system, and utilizes phishing tactics to steal credentials through fake login pop-ups designed to mimic legitimate banking websites. 

Mekotio has keylogging, screenshot capture, and clipboard data theft functionalities to gather even more sensitive data.

The malware also implements persistence mechanisms to maintain its foothold by adding itself to startup programs or creating scheduled tasks. 

Banking trojans exploit user trust by mimicking legitimate banking websites, and once a user interacts with the malicious content, the malware steals login credentials and injects them into a real banking website. 

The attackers’ command-and-control (C&C) server, which serves as a central hub and receives the stolen credentials and potentially additional malware instructions, then exfiltrates this information back to it. 

With this stolen banking information, attackers can perform unauthorized actions on the victim’s account, such as initiating fraudulent transactions. 

Users can employ email security practices to mitigate email-borne threats, which include sender verification through email address scrutiny, grammar and spelling checks, and subject line analysis, while links and attachments should be avoided unless the sender is confirmed. 

If suspicious, contact the sender via known channels to confirm the email’s legitimacy. Organizations should utilize up-to-date spam filters and security software, and users should report phishing attempts. 

According to Trend Micro, it is essential to provide employees with regular security awareness training in order to instill in them an understanding of phishing and social engineering techniques. 

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo