The Mekotio banking trojan’s operators have resurrected with a change in infection flow to remain undetected and elude protection software while launching almost 100 attacks in the previous three months.
One of the most prominent features is the modular attack, allowing attackers to modify only a tiny portion of the entire system to evade detection. According to reports, the new round of attacks mainly targets victims in Brazil, Chile, Mexico, Peru, and Spain.
The news comes after Spanish authorities arrested 16 members of a criminal network in July 2021 in connection with the operation of Mekotio and another banking virus named Grandoreiro as part of a social engineering campaign targeting European financial institutions.
The Mekotio malware strain has grown to be capable of infecting Windows PCs using a phishing attack chain that begins with phishing emails posing as awaiting tax receipts and includes a link to a ZIP file or a ZIP file as an attachment. When people open the ZIP archive, a batch script is executed, launching a PowerShell script to load a second-stage ZIP file.
An AutoHotkey (AHK) interpreter, an AHK script, and the Mekotio DLL payload are all included in this additional ZIP file. The PowerShell script then calls the AHK interpreter, which runs the DLL payload to harvest credentials from online banking sites and exfiltrate the data to a remote server.
The malicious modules use simple obfuscation techniques, like substitution ciphers, providing the malware with better stealth capabilities and allowing it to go undetected by most antivirus systems.
Users in Latin America should use two-factor authentication to protect their accounts against takeover cyberattacks and keep an eye out for similar-sounding domains, misspelled words in emails or webpages, and communications from unknown senders.