The operators driving the Mekotio banking trojan have resurfaced with a change in its infection circulation so as to continue to be underneath the radar and evade security software, while staging virtually 100 assaults over the previous 3 months.
“One of the major attributes […] is the modular assault which gives the attackers the means to change only a smaller section of the full in buy to stay away from detection,” researchers from Examine Place Exploration reported in a report shared with The Hacker News. The most recent wave of attacks are claimed to primarily target victims located in Brazil, Chile, Mexico, Peru, and Spain.
The improvement comes soon after Spanish law enforcement agencies in July 2021 arrested 16 individuals belonging to a prison network in relationship with working Mekotio and a further banking malware termed Grandoreiro as component of a social engineering marketing campaign concentrating on financial establishments in Europe.
The developed model of the Mekotio malware strain is intended for compromising Windows units with an assault chain that commences with phishing e-mails masquerading as pending tax receipts and containing a link to a ZIP file or a ZIP file as an attachment. Clicking open up the ZIP archive triggers the execution of a batch script that, in change, runs a PowerShell script to obtain a 2nd-stage ZIP file.
This secondary ZIP file houses a few various files — an AutoHotkey (AHK) interpreter, an AHK script, and the Mekotio DLL payload. The aforementioned PowerShell script then phone calls the AHK interpreter to execute the AHK script, which runs the DLL payload to steal passwords from online banking portals and exfiltrate the results back to a distant server.
The malicious modules are characterized by the use of uncomplicated obfuscation strategies, this kind of as substitution ciphers, giving the malware improved stealth capabilities and enabling it to go undetected by most antivirus methods.
“There is certainly a extremely authentic danger in the Mekotio banker thieving usernames and passwords, in get to achieve entry into economical institutions,” Verify Point’s Kobi Eisenkraft explained. “Therefore, the arrests stopped the activity of the Spanish gangs, but not the principal cybercrime groups driving Mekotio.”
Customers in Latin The us are hugely suggested to use two-factor authentication to safe their accounts from takeover assaults, and observe out for lookalike domains, spelling errors in e-mail or sites, and e-mail messages from unfamiliar senders.