LatAM Banking Trojan

Mekotio banking Trojan, originally known for targeting banking customers in Chile, has been expanding its scope both geographically and tactically. Mekotio is the second banking malware observed doing this within this week.

Multiple, distinct malware families have havoced Latin American Banks for years – the variants include Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist and Zumanek.

Mekotio expands across Latin America

Mekotio Trojan operators have been regularly updating their malware to cover more financial organizations across several Latin American countries, as well some new enhancements have been observed recently.

  • Researcher found several variants of Mekotio Trojan that were registered to specifically target users in Spain. Besides normal banking services, it would also targeted e-banking users from a small set of countries.
  • The malware spreads through spam emails that use social engineering tactics, like impersonating the identity of government or private agencies to lure the users into clicking on malicious links included in the message body. 
  • Mekotio can steal banking credentials stored in some web browsers such as Google Chrome and Opera. Additionally, it has been updated with the functionality of replacing the bitcoin wallet addresses copied to the clipboard by the attacker’s wallet address.

Since its first detection in March 2018, Mekotio’s developers have been making gradual improvements in this Windows-based malware, which is developed in Embarcadero Delphi.

Current coverage

As of now, Mekotio malware has a presence in Chile (having the highest detection), followed by Brazil and Mexico (medium level of detection), and then Peru, Colombia, Argentina, Ecuador, and Bolivia.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s