Mekotio Trojan Targets Americans: Financial Data at Risk

The Mekotio banking trojan targets users through phishing emails disguised as tax agency communications, which exploit social engineering tactics to lure victims into downloading a ZIP attachment or clicking a malicious link. 

Upon interaction, the attachment, often a PDF containing a hidden link, triggers the malware download and execution on the compromised system, and upon execution, initiates a two-step process to establish communication and receive instructions. 

First, it gathers information about the infected system, which likely includes details like operating system type, hardware specifications, and potentially even running processes. 

Then, it leverages this stolen data to connect to a predetermined command-and-control (C&C) server, which acts as the malware’s master, issuing commands and tasking Mekotio with further malicious activities.

Active since 2015, Mekotio is a Latin American banking trojan targeting financial credentials. Primarily affecting users in Brazil, Chile, Mexico, Spain, and Peru, Mekotio leverages phishing emails with social engineering tactics to trick victims into clicking malicious links or opening attachments. 

The malware exhibits persistence mechanisms and information gathering techniques like screenshot capture, keystroke logging, and clipboard data theft. With its roots potentially linked to Grandoreiro (disrupted in 2024), Mekotio is a persistent threat requiring robust cybersecurity solutions for mitigation. 

Mekotio attack chain

A banking trojan targets financial information through credential theft, and utilizes phishing tactics by displaying fake login pop-ups that resemble legitimate banking websites. Once a user enters their credentials, Mekotio steals the data. 

To gather even more sensitive information, the malware can capture screenshots, log keystrokes, and steal clipboard content. 

It also employs persistence mechanisms to solidify its presence in the system, which may involve adding itself to startup programs or creating scheduled tasks, ensuring its continued malicious activity.  

Malware like banking trojans establish a connection to a command-and-control (C&C) server after infiltrating a system. This server acts as a central hub, issuing instructions and tasking the malware with specific actions.

According to Trend Micro, a common objective is credential theft, often achieved through phishing tactics that mimic legitimate banking sites. 

Once the user enters their login details, the malware transmits this stolen banking information back to the C&C server, which empowers attackers with unauthorized access to victims’ bank accounts, enabling them to commit financial fraud. 

Users can adopt vigilant email practices to counter threats, including sender verification via email address, scrutinizing content for errors, and avoiding links and attachments. 

Organizations should maintain up-to-date email filters and anti-spam software. Phishing attempts must be reported, and employee security awareness training should be conducted regularly. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here