Monday, November 11, 2024
Homecyber securityMekotio Banking Trojan Attacking American Users To Steal Financial Data

Mekotio Banking Trojan Attacking American Users To Steal Financial Data

Published on

Malware protection

Active since 2015, Mekotio is a Latin American banking trojan specifically designed to target financial data in regions like Brazil, Chile, Mexico, Spain, and Peru. It exhibits links to the recently disrupted Grandoreiro malware, both likely originating from the same source. 

Mekotio utilizes phishing emails as its primary infection vector. These emails incorporate social engineering tactics to manipulate users into interacting with malicious links or opening attachments. 

Once compromised, a system employs various techniques to steal banking credentials, including logging keystrokes, capturing screenshots, and pilfering clipboard data.

- Advertisement - SIEM as a Service

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Mekotio uses persistence mechanisms to guarantee its presence on the infected machine.

Mekotio attack chain

A banking trojan targets users through phishing emails disguised as tax agency notifications, which contain ZIP attachments or malicious links. 

Once a user interacts, a PDF attachment opens a malicious link that downloads and executes Mekotio, and upon execution, it gathers system information and connects to a command-and-control server for instructions and tasks. 

Mekotio targets financial information after gaining access to a system, and utilizes phishing tactics to steal credentials through fake login pop-ups designed to mimic legitimate banking websites. 

Mekotio has keylogging, screenshot capture, and clipboard data theft functionalities to gather even more sensitive data.

The malware also implements persistence mechanisms to maintain its foothold by adding itself to startup programs or creating scheduled tasks. 

Banking trojans exploit user trust by mimicking legitimate banking websites, and once a user interacts with the malicious content, the malware steals login credentials and injects them into a real banking website. 

The attackers’ command-and-control (C&C) server, which serves as a central hub and receives the stolen credentials and potentially additional malware instructions, then exfiltrates this information back to it. 

With this stolen banking information, attackers can perform unauthorized actions on the victim’s account, such as initiating fraudulent transactions. 

Users can employ email security practices to mitigate email-borne threats, which include sender verification through email address scrutiny, grammar and spelling checks, and subject line analysis, while links and attachments should be avoided unless the sender is confirmed. 

If suspicious, contact the sender via known channels to confirm the email’s legitimacy. Organizations should utilize up-to-date spam filters and security software, and users should report phishing attempts. 

According to Trend Micro, it is essential to provide employees with regular security awareness training in order to instill in them an understanding of phishing and social engineering techniques. 

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Latest articles

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...