Mekotio Trojan Targets Latin American Banking Credentials

A new analysis has shed light on the threat posed by the Mekotio banking trojan, a sophisticated piece of malware primarily targeting Latin American countries since at least 2015. 

Designed to steal sensitive information, particularly banking credentials, Mekotio has been especially active in Brazil, Chile, Mexico, Spain and Peru. This malware shares its origins with other notable Latin American banking malware strains like Grandoreiro, which was disrupted by law enforcement earlier this year. 

Mekotio typically spreads through phishing emails that employ social engineering tactics to deceive users into engaging with malicious links or attachments.

According to an advisory published by Trend Micro, the trojan has often been observed masquerading as communications from tax agencies, suggesting that recipients have unpaid obligations. These phishing emails contain a ZIP file attachment or a link to a harmful site. 

Upon user interaction, the malware is downloaded and executed on their system. In a typical case, the attachment is a PDF file with an embedded malicious link. Once activated, Mekotio collects system information and establishes a connection with a command-and-control (C2) server, which directs the malware’s actions.

Mekotio’s primary objective is to steal banking credentials. It accomplishes this by displaying fake pop-ups that mimic legitimate banking sites, tricking users into entering their details, which are then harvested. 

In addition to credential theft, Mekotio can capture screenshots, log keystrokes, and steal clipboard data. To achieve persistence, the trojan uses tactics such as adding itself to startup programs or creating scheduled tasks. The stolen information is sent back to the C2 server, enabling malicious actors to use it for fraudulent activities, such as unauthorized access to bank accounts.