Mekotio Banking Trojan Attacking American Users To Steal Financial Data

Active since 2015, Mekotio is a Latin American banking trojan specifically designed to target financial data in regions like Brazil, Chile, Mexico, Spain, and Peru. It exhibits links to the recently disrupted Grandoreiro malware, both likely originating from the same source. 

Mekotio utilizes phishing emails as its primary infection vector. These emails incorporate social engineering tactics to manipulate users into interacting with malicious links or opening attachments. 

Once compromised, a system employs various techniques to steal banking credentials, including logging keystrokes, capturing screenshots, and pilfering clipboard data.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Mekotio uses persistence mechanisms to guarantee its presence on the infected machine.

Mekotio attack chain

A banking trojan targets users through phishing emails disguised as tax agency notifications, which contain ZIP attachments or malicious links. 

Once a user interacts, a PDF attachment opens a malicious link that downloads and executes Mekotio, and upon execution, it gathers system information and connects to a command-and-control server for instructions and tasks. 

Mekotio targets financial information after gaining access to a system, and utilizes phishing tactics to steal credentials through fake login pop-ups designed to mimic legitimate banking websites. 

Mekotio has keylogging, screenshot capture, and clipboard data theft functionalities to gather even more sensitive data.

The malware also implements persistence mechanisms to maintain its foothold by adding itself to startup programs or creating scheduled tasks. 

Banking trojans exploit user trust by mimicking legitimate banking websites, and once a user interacts with the malicious content, the malware steals login credentials and injects them into a real banking website. 

The attackers’ command-and-control (C&C) server, which serves as a central hub and receives the stolen credentials and potentially additional malware instructions, then exfiltrates this information back to it. 

With this stolen banking information, attackers can perform unauthorized actions on the victim’s account, such as initiating fraudulent transactions. 

Users can employ email security practices to mitigate email-borne threats, which include sender verification through email address scrutiny, grammar and spelling checks, and subject line analysis, while links and attachments should be avoided unless the sender is confirmed. 

If suspicious, contact the sender via known channels to confirm the email’s legitimacy. Organizations should utilize up-to-date spam filters and security software, and users should report phishing attempts. 

According to Trend Micro, it is essential to provide employees with regular security awareness training in order to instill in them an understanding of phishing and social engineering techniques. 

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Aman Mishra

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitive Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

12 hours ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

13 hours ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

13 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

14 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

2 days ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

3 days ago