Mekotio Banking Trojan Resurfaces with New Attacking and Stealth Techniques


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The operators behind the Mekotio banking trojan have resurfaced with a shift in its infection flow so as to stay under the radar and evade security software, while staging nearly 100 attacks over the last three months.

"One of the main characteristics […] is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection," researchers from Check Point Research said in a report shared with The Hacker News. The latest wave of attacks are said to primarily target victims located in Brazil, Chile, Mexico, Peru, and Spain.

The development comes after Spanish law enforcement agencies in July 2021 arrested 16 individuals belonging to a criminal network in connection with operating Mekotio and another banking malware called Grandoreiro as part of a social engineering campaign targeting financial institutions in Europe.

The evolved version of the Mekotio malware strain is designed for compromising Windows systems with an attack chain that commences with phishing emails masquerading as pending tax receipts and containing a link to a ZIP file or a ZIP file as an attachment. Clicking open the ZIP archive triggers the execution of a batch script that, in turn, runs a PowerShell script to download a second-stage ZIP file.