Mekotio banking trojan imitates update alerts to steal Bitcoin


Level 69
Content Creator
Malware Hunter
Aug 17, 2014
A versatile banking trojan targeting users in Latin America has been circulating in multiple countries including Mexico, Brazil, Chile, Spain, Peru, and Portugal.

The malware ensures persistence on infected systems and has advanced capabilities such as planting backdoors, stealing bitcoins, and exfiltrating credentials.

Dubbed Mekotio, the trojan collects sensitive information from victim hosts, such as firewall configuration, operating system information, if admin privileges are enabled, and the status of any antivirus products installed.

"Mekotio has several typical backdoor capabilities. It can take screenshots, manipulate windows, simulate mouse and keyboard actions, restart the machine, restrict access to various banking websites and update itself," explains a report released by ESET this week.

Some variants of the trojan can also hijack cryptocurrency by replacing a Bitcoin wallet address in the clipboard and getting saved passwords from Chrome web browser.

ESET's researches have stated that phishing spam seems to be the primary manner of distribution leveraged by the creators of Mekotio.