Mekotio Banking Trojan
Mekotio is malicious trojan that has been making its rounds targeting Latin American banks and other financial institutes. Active since 2015 Mekotio is not a new but still active targeting unsuspected users as a malicious email attachment.
Mekotio has multiple variants that will start as an executable email attachment or executable script, that will reach out to the threat actor’s servers and download the additional stages and payloads, which are then installed and setup for persistence. One particular feature of these downloads are the use of customer http user-agent strings to communicate with the malicious servers.
Once the trojan has been installed, it will do numerous actions to get the user to divulge sensitive information such as:
- open fake pop-up windows
- disable browser auto-complete for passwords
- collect host information
- take screenshots
- simulate keyboard and mouse actions
- Bitcoin address replacement
- C&C communications via SQL Database
Currently Mekotio is not tied to a specific threat actor group, but the motive behind it is purely financial.
Researchers have identified the main distribution method to be spam email (versus a targeted phishing attack) and can be easily prevented with proper spam filters configured and user awareness. Mekotio has been around for long enough that many anti-virus companies will catch Mekotio and its variants.
Sources:
Indicators of Compromise (IOCs):
- Mekotio samples
- AEA1FD2062CD6E1C0430CA36967D359F922A2EC3
- Mekotio banking trojan (SQL variant)
- Win32/Spy.Mekotio.CQ
- 8CBD4BE36646E98C9D8C18DA954942620E515F32
- Mekotio banking trojan
- Win32/Spy.Mekotio.O
- 297C2EDE67AE6F4C27858DCB0E84C495A57A7677
- Mekotio banking trojan
- Win32/Spy.Mekotio.DD
- 511C7CFC2B942ED9FD7F99E309A81CEBD1228B50
- Mekotio banking trojan
- Win32/Spy.Mekotio.T
- 47C3C058B651A04CA7C0FF54F883A05E2A3D0B90
- Mekotio banking trojan
- Win32/Spy.Mekotio.CD
- AEA1FD2062CD6E1C0430CA36967D359F922A2EC3
- Network communication
- User-Agent: “MyCustomUser”, “4M5yC6u4stom5U8se3r” (and other variations)
- HTTP verb: “111SA”
- Bitcoin wallets
- 1PkVmYNiT6mobnDgq8M6YLXWqFraW2jdAk
- 159cFxcSSpup2D4NSZiuBXgsGfgxWCHppv
- 1H35EiMsXDeDJif2fTC98i81n4JBVFfru6