Mekotio

Malware updated 23 days ago (2024-11-29T14:51:10.185Z)
Download STIX
Preview STIX
Mekotio is a type of malware, specifically a banking trojan, that was first detected in March 2018. Initially focusing on Brazilian users and banks, Mekotio has since evolved to target other Spanish-speaking countries such as Chile, Mexico, Columbia, and Argentina, as well as parts of Southern Europe, including Spain. It is predominantly delivered through phishing emails with malicious attachments, making it a versatile and persistent threat in the region. Mekotio shares common geographical targets with BBTok, another banking trojan first detected in 2020, which primarily targets the Latin American financial sector. In recent campaigns, Mekotio, along with Astaroth/Guildma and Ousaban, has been observed misusing Google Cloud Run service for distribution. Security researchers have issued warnings about these large-scale attacks, where threat actors are exploiting the cloud service to spread massive volumes of these banking trojans. The JavaScript used in these campaigns employs AutoHotKey (AHK) to run the DLL, which serves as the main payload for Mekotio. Notably, the variant of Mekotio investigated in this study does not include a country comparison feature, distinguishing it from previous versions. This latest variant expands its targets geographically, further increasing its threat level. The infection chain involves the creation of the AutoHotKey.exe, a malicious AHK script, and the Mekotio DLL from a downloaded ZIP file. Once inside a system, Mekotio gathers victim information, posing significant risks to personal data security.
Description last updated: 2024-09-05T13:17:28.101Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Grandoreiro is a possible alias for Mekotio. Grandoreiro is a malicious software, or malware, specifically a banking Trojan that targets banks worldwide. Initially originating from a Brazilian banking group, Grandoreiro has expanded its reach to other countries, becoming a significant threat in the cyber landscape. It operates by infiltrating
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Malware
Banking
Trojan
Credentials
Clipboard Data
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Mekotio Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more