Introduction
The Mekotio banking trojan is a sophisticated piece of malware that has been active since at least 2015, primarily targeting Latin American countries with the goal of stealing sensitive information — particularly banking credentials — from its targets. Originating in the Latin American region, it has been particularly prolific in Brazil, Chile, Mexico, Spain, and Peru. Furthermore, Mekotio seems to share a common origin with other notable Latin American banking malware such as Grandoreiro, which was disrupted by law enforcement earlier this year. Mekotio is often delivered through phishing emails, employing social engineering to trick users into interacting with malicious links or attachments.
We’ve recently seen a surge in attacks involving Mekotio amongst our customers. In this blog entry, we'll provide an overview of the trojan and what it does.
How Mekotio Works
Figure 1 shows the attack chain for a Mekotio infection:
Mekotio typically arrives through emails that appear to be from tax agencies alleging that the user has unpaid tax obligations. These emails contain a ZIP file attachment or a link to a malicious site. Once the user interacts with the email, the malware is downloaded and executed on their system. In our analysis, the attachment is a PDF file that contains the malicious link.
Upon execution, Mekotio gathers system information and establishes a connection with a command- and-control (C&C) server. This server provides instructions and a list of tasks for the malware to perform.
Once inside the system, Mekotio performs the following malicious activities:
- Credential Theft: Mekotio's main goal is to steal banking credentials. It achieves this by displaying fake pop-ups that mimic legitimate banking sites, tricking users into entering their details, which the trojan then proceeds to harvest.
- Information Gathering: Mekotio can capture screenshots, log keystrokes, and steal clipboard data.
- Persistence Mechanisms: Mekotio employs various tactics to maintain its presence on the infected system, including adding itself to startup programmes or creating scheduled tasks.
The stolen banking information is sent back to the C&C server, where it can be further used by malicious actors for fraudulent activities, such as unauthorised access to bank accounts.
Mitigation
By practising proper security best practises, users can protect themselves from threats that are primarily delivered via email. These include the following:
- Being sceptical of unsolicited emails
- Users should verify the sender’s email address, look for spelling and grammar mistakes, and scrutinise subject lines.
- Avoiding clicking on links and downloading attachments
- Users should hover over links to check URLs and avoid downloading attachments in general unless absolutely certain of the sender’s identity.
- Verifying sender identity
- Users should directly contact the sender using known contact details and compare the email with previous correspondence if they suspect that the email might be malicious.
- Using email filters and anti-spam software
- Organisations should ensure that spam filters and other security tools are turned on and are up to date.
- Reporting phishing Attempts
- Users should report phishing attempts to their IT and security teams when applicable.
- Educating employees on security best practises
- Organisations should educate their employees on phishing and social engineering tactics, as well as conduct regular phishing awareness training.
Conclusion
The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries. It uses phishing emails to infiltrate systems, with the goal of stealing sensitive information while also maintaining a strong foothold on compromised machines. By adhering to recommended security practises, such as verifying email authenticity, avoiding suspicious links and attachments, and employing robust cybersecurity solutions, individuals and organisations can significantly reduce the risk of falling victim to this dangerous malware.
Indicators of Compromise
The indicators of compromise for this entry can be found here.