Mekotio banker trojan returns with new TTP

Latin American trojan bankers are on the rise, and Mekotio is one of the most challenging threats to detect and stop these days. 

Nowadays, the number of emerging threats is concerning and the sophistication and agility observed in the new variants of well-known malware, including Mekotio. The new comeback brings new features and a significant change in its infection chain. This new wave was distributed some weeks after the arrest of some criminals involved with Mekotio in July 2021 by the Spanish Civil Guard. This is a clear sign that criminals moved fast to modify the malware’s Tactics, Techniques and Procedures (TTPs) to avoid detection and corroborates the strong collaboration between Spanish groups with the malware authors geo-located in Latin America.

Like other popular Brazilian trojan bankers, including  Maxtrilha, Javali and Ursa, Mekotio was updated in this release to combine its capabilities with those threats, which denotes a high collaboration between criminal gangs.

Mekotio’s Modus Operandi

The Mekotio’s infection chain starts with a phishing template that lures the victim to download a zip file from a compromised server. Figure 1 below shows the email template in the Spanish language.

Figure 1: Mekotio email template distributed in Q3 and Q4 2021

Read More: https://resources.infosecinstitute.com/topic/mekotio-banker-trojan-returns-with-new-ttp/