After Spanish police arrested 16 suspects on charges of laundering funds, the banking trojan used in the crimes makes a comeback. Named Mekotio, the malware strain targets victims in Latin America with new stealth abilities and evasion techniques. Check Point Research (CPR) detected and blocked over 100 cyber attacks in recent weeks that leverage the evolved form of the banking trojan.
- Infection chain begins with spoofed email with the message: “digital tax receipt pending submission”
- Mekotio malware strain is believed to be the work of Brazilian cybercrime groups who rent access to their tools
- CPR urges people in Brazil, Chile, Mexico, Spain and Peru to watch out
In recent weeks, Check Point Research (CPR) detected and blocked over 100 cyber attacks targeting Latin American countries that leverage an evolved form of a banking trojan named Mekotio.
The Mekotio malware strain is believed to be the work of Brazilian cybercrime groups who rent access to their tools to other gangs responsible for distributing the trojan and laundering funds. Developed to target Windows computers, Mekotio is known to use spoofed emails mimicking legitimate organizations. After a victim is infected, the banking trojan stays hidden, waiting until users log into e-banking accounts, silently collecting their credentials.
In July of this year, Spanish police arrested 16 suspects on charges of laundering funds stolen through the banking trojan Mekotio, among another. CPR’s recent observations reveal that the threat actors behind Mekotio are still active, distributing a new version of Mekotio that has a new and improved stealth abilities and evasion techniques.
Brazil, Chile, Mexico, Spain and Peru have historically been the targets for Mekotio, including the recent cyber attacks caught by CPR.
How the New Mekotio Works
The infection starts out and is distributed with a phishing email, written in Spanish, containing a link to a zip archive or a zip file as an attachment. The message lures the victim to download and extract the zip content. The emails caught by CPR claimed to a target victim that a “digital tax receipt pending submission”. When the victims click the link in the email, a malicious zip archive is downloaded from a malicious website.
Example A: Phishing Email
CPR has diagrammed the full attack flow as the following:
New Stealth Abilities and Evasion Techniques
One of the key characteristics of Mekotio is its modular design, giving the attackers the ability to change only a small part of the whole in order to avoid detection. Furthermore, Mekotio uses an ancient encryption method called “substitution cipher” to obfuscate file content and hide the first module of attack. This simple obfuscation technique allows it to go undetected by most of the AntiVirus products. Furthermore, Mekotio’s thret actors use a new version of a commercial tool called “Themida”, which packs the payload with sophisticated encryption, anti-debug, and anti-monitoring.
Kobi Eisenkraft, Malware Research & Protection Team Leader at Check Point Software:
“Although the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio distribution in July 2021, it appears that the gang behind the malware is still active. It’s clear to us that they have developed and distributed a new version of Mekotio banker that has far more effective stealth abilities and evasion techniques. There’s a very real danger in the Mekotio banker stealing user names and passwords, in order to gain entry into financial institutions. Hence, the arrests stopped the activity of the Spanish gangs, but not the main cybercrime groups behind Mekotio. We know a few things about the threat actors behind Mekotio, who operates from Brazil and collaborates with European gangs to distribute the malware:
- They like to use a multi-stage delivery infrastructure in order to avoid detection
- They mainly use phishing emails as the first infection vector
- They utilize Microsoft and Amazon cloud environments to host the malicious files
I strongly urge people in Mekotio’s known target regions to use two-factor authentication whenever it is available and to beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.”
How to Stay Protected
- Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
- Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
- Make sure you are ordering goods from an authentic source. One way to do this is to NOT click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
- Beware of “special” offers that don’t appear to be reliable or trustworthy purchase opportunities.
- Make sure you do not reuse passwords between different applications and accounts.