Arrests were made, but the Mekotio Trojan lives on

Despite the arrest of individuals connected with the spread of the Mekotio banking Trojan, the malware continues to be used in new attacks. 

On Wednesday, Check Point Research (CPR) published an analysis on Mekotio, a modular banking Remote Access Trojan (RAT) that targets victims in Brazil, Chile, Mexico, Spain, and Peru — and is now back with new tactics for avoiding detection. 

In October, law enforcement made 16 arrests in relation to Mekotio and the Grandoreiro Trojans across Spain. The suspects allegedly sent thousands of phishing emails to distribute the Trojan, then used to steal banking and financial service credentials. 

Local media reports suggest that 276,470 euros were stolen, but transfer attempts — thankfully, blocked — worth 3,500,000 euros were made. 

CPR researchers Arie Olshtein and Abedalla Hadra say that the arrests only managed to disrupt distribution across Spain, and as the group likely collaborated with other criminal outfits, the malware continues to spread. 

Once the Spanish Civil Guard announced the arrests, Mekotio’s developers, suspected of being located in Brazil, rapidly rehashed their malware with new features designed to avoid detection. 

Mekotio’s infection vector has stayed the same, in which phishing emails either contain links to or have a malicious .ZIP

Read More: