An overview of Mekotio, a Latin American banking trojan active since 2015, detailing how it steals banking credentials and maintains footholds on infected systems. The malware is delivered mainly via phishing emails with attachments or malicious links, communicates with a C2 server, and uses credential theft, keystroke logging, screen capture, clipboard theft, and persistence techniques. #Mekotio #Grandoreiro #LatinAmerica #Brazil #Chile #Mexico #Peru
Keypoints
- Mekotio is a sophisticated banking trojan targeting Latin American countries, with notable activity in Brazil, Chile, Mexico, Spain, and Peru.
- The trojan is typically delivered via phishing emails that impersonate tax agencies and contain a ZIP attachment or a malicious link.
- In the attack chain, an attached PDF contains the malicious link that leads to infection when the user interacts with the email.
- Once on the system, Mekotio gathers information and connects to a C2 server to receive instructions and tasks.
- Malicious activities include credential theft via fake banking pop-ups, information gathering (screenshots, keystrokes, clipboard data), and persistence (startup programs, scheduled tasks).
- Stolen banking data is sent back to the C2 server for fraudulent use, such as unauthorized bank access.
- Mitigation emphasizes user education, email skepticism, link hover checks, avoiding suspicious attachments, and enabling up-to-date security controls and phishing awareness training.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The infection starts from a phishing email with a ZIP attachment, where the attachment is a PDF that contains the malicious link. ‘Mekotio typically arrives through emails that appear to be from tax agencies alleging that the user has unpaid tax obligations… In our analysis, the attachment is a PDF file that contains the malicious link.’
- [T1566.002] Spearphishing Link – The email includes a link to a malicious site guiding the user to download/load the malware. ‘These emails contain a ZIP file attachment or a link to a malicious site.’
- [T1071.001] Web Protocols (C2) – After execution, Mekotio connects to a C2 server to receive instructions and tasks. ‘Once inside the system, Mekotio performs the following malicious activities… establishes a connection with a command- and-control (C&C) server. This server provides instructions and a list of tasks for the malware to perform.’
- [T1056.001] Keylogging – Information gathering includes logging keystrokes. ‘Information Gathering: Mekotio can capture screenshots, log keystrokes, and steal clipboard data.’
- [T1113] Screen Capture – Information gathering includes taking screenshots. ‘Information Gathering: Mekotio can capture screenshots, log keystrokes, and steal clipboard data.’
- [T1115] Clipboard Data – Information gathering includes stealing clipboard data. ‘Information Gathering: Mekotio can capture screenshots, log keystrokes, and steal clipboard data.’
- [T1547.001] Boot or Logon Autostart Execution – Persistence by adding itself to startup programs. ‘Persistence Mechanisms: Mekotio employs various tactics to maintain its presence on the infected system, including adding itself to startup programs or creating scheduled tasks.’
- [T1053.005] Scheduled Task – Persistence via scheduled tasks. ‘and creating scheduled tasks.’
- [T1041] Exfiltration to C2 – Stolen banking data is sent back to the C2 server for fraudulent use. ‘The stolen banking information is sent back to the C&C server, where it can be further used by malicious actors for fraudulent activities, such as unauthorized access to bank accounts.’
Indicators of Compromise
- [URL] context – https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/g/mekotio/mekotio-banking-trojan-threatens-financial-systems-in-latin-america.txt
Read more: https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html