Skip to content

Researchers catch Mekotio Banking Trojan attacking Latin America

  • by
  • 2 min read

Illustration: JMiks | Shutterstock

Security researchers have observed a recent surge in using the Mekotio Banking Trojan. The trojan often impersonates itself as originating from an agency alleging the victim hasn’t paid their due taxes. Once installed, it can steal banking credentials, capture screenshots, log keystrokes, steal clipboard data, and persist in the infected device’s memory.

Mekotio isn’t new malware, either. Researchers from Trend Micro report that it has been active since at least 2015 and primarily targets Latin American countries, with especially high activity in Brazil, Chile, Mexico, Spain, and Peru. Additionally, the malware seems to share its origins with Grandoreiro, another banking trojan that has had law enforcement on its feet.

Mekotio typically arrives in the form of a zip or PDF attachment on phishing emails appearing to originate from tax agencies. However, sometimes the emails link back to malicious sites as well. Regardless of the delivery mechanism, once the trojan executes on the victim’s system, it gathers system data and connects to a command and control (C2) server. The C2 server can then provide instructions and a list of tasks for the malware to perform on the infected device.

This is an image of mekotio malware attack chain
Attack chain of the Mekotio banking trojan. | Source: Trend Micro

Mekotio performs three major operations on the victim’s device:

  • Credential theft: the malware shows fake pop-ups on the screen that impersonate legitimate banking sites, prompting users to enter their credentials. The entered data is harvested by the trojan and sent back to the C2 server.
  • Information gathering: As mentioned above, the malware can record screenshots, steal clipboard data, and log keystrokes.
  • Enabling persistence: The malware can add itself to the list of startup programs or create a scheduled task to maintain persistence on the targeted system.

While there’s no software patch or the kind to keep the malware out, researchers suggest avoiding clicking on links or downloading attachments from unknown sources. Verifying the sender’s identity is also recommended in case you receive any emails dealing with your financials.

In the News: Threat actors exploit ScreenConnect for AsyncRAT deployment

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>