The resurgence of the Mekotio banking trojan has emerged as a severe threat to financial institutions and individuals throughout Latin America. Since its inception in 2015, the Mekotio malware has targeted countries such as Brazil, Chile, Mexico, Spain, and Peru, with a primary focus on stealing sensitive information, particularly banking credentials.
Similar to other Latin American banking malware like Grandoreiro, which recently faced disruptions by law enforcement, Mekotio has made a comeback with increased activity across various campaigns. Security researchers from Trend Micro have observed a rise in the utilization of Mekotio, with the malware infiltrating systems through phishing emails posing as communications from tax agencies. These deceptive messages often warn recipients about unpaid tax obligations, leading them to unknowingly download and execute the malware through malicious ZIP file attachments or links.
Upon activation, Mekotio initiates its malicious operations by collecting system information and establishing a connection with a command-and-control server. The trojan then engages in credential theft, displaying fake login screens resembling legitimate banking websites to dupe users into disclosing their credentials. Additionally, Mekotio captures screenshots, logs keystrokes, and steals clipboard data as part of its information-gathering tactics. To ensure persistence on infected systems, the malware employs techniques like adding itself to startup programs or creating scheduled tasks.
Security researchers have identified Mekotio as a geolocation-specific Trojan, with a threat summary from Microsoft Security Intelligence highlighting its evasion tactics, including a malicious DLL that executes via DLL sideloading. Victims of Mekotio infections may find themselves unable to access legitimate banking websites post-infection, further underscoring the threat posed by this malware.
To counter the risks associated with Mekotio, researchers recommend implementing best practices such as being cautious of unsolicited emails, verifying sender identities, refraining from clicking on suspicious links or downloading attachments, and educating employees on security protocols. Additionally, maintaining updated email filters, anti-spam software, and promptly reporting phishing attempts to IT and security teams can bolster defenses against Mekotio and similar threats.
By adhering to these preventive measures, organizations and individuals can mitigate the risk of falling victim to the Mekotio banking trojan. By remaining vigilant, scrutinizing potential indicators of compromise, and staying informed about emerging threats, stakeholders can fortify their defenses against the ever-evolving landscape of cyber threats.