Mekotio Banking Trojan Resurges with Tweaked Code, Stealthy Campaign

The banker, aka Metamorfo, is roaring back after Spanish police arrested more than a dozen gang members.

The Mekotio Latin American banking trojan is bouncing back after several of the gang that operates it were arrested in Spain. More than 100 attacks in recent weeks have featured a new infection routine, indicating that the group continues to actively retool.

“The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio [aka Metamorfo] distribution in July,” according to Check Point Research (CPR). “It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.”

Mekotio, like other Latin American banking trojans, steals online banking logins and other financial credentials from unsuspecting victims. But they’re constantly evolving to avoid detection. In this case, the freshened-up Mekotio infection vector contains “unprecedented elements” to keep detection rates low, according to the firm’s analysis, issued Wednesday. These are:

A stealthier batch file with at least two layers of obfuscation; New fileless PowerShell script that runs directly in memory; and Use of Themida v3 for packing the final DLL payload.

“In the last

Read More: