Mekotio

Malware updated 3 months ago (2024-09-05T13:18:07.836Z)

Download STIX

Preview STIX

Mekotio is a type of malware, specifically a banking trojan, that was first detected in March 2018. Initially focusing on Brazilian users and banks, Mekotio has since evolved to target other Spanish-speaking countries such as Chile, Mexico, Columbia, and Argentina, as well as parts of Southern Europe, including Spain. It is predominantly delivered through phishing emails with malicious attachments, making it a versatile and persistent threat in the region. Mekotio shares common geographical targets with BBTok, another banking trojan first detected in 2020, which primarily targets the Latin American financial sector. In recent campaigns, Mekotio, along with Astaroth/Guildma and Ousaban, has been observed misusing Google Cloud Run service for distribution. Security researchers have issued warnings about these large-scale attacks, where threat actors are exploiting the cloud service to spread massive volumes of these banking trojans. The JavaScript used in these campaigns employs AutoHotKey (AHK) to run the DLL, which serves as the main payload for Mekotio. Notably, the variant of Mekotio investigated in this study does not include a country comparison feature, distinguishing it from previous versions. This latest variant expands its targets geographically, further increasing its threat level. The infection chain involves the creation of the AutoHotKey.exe, a malicious AHK script, and the Mekotio DLL from a downloaded ZIP file. Once inside a system, Mekotio gathers victim information, posing significant risks to personal data security.

Description last updated: 2024-09-05T13:17:28.101Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Grandoreiro is a possible alias for Mekotio. Grandoreiro is a malicious software, or malware, specifically a banking Trojan that targets banks worldwide. Initially originating from a Brazilian banking group, Grandoreiro has expanded its reach to other countries, becoming a significant threat in the cyber landscape. It operates by infiltrating	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Malware

Banking

Trojan

Credentials

Clipboard Data

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Mekotio Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	3 months ago	Banking Trojans Mekotio Looks to Expand Targets, BBTok Abuses Utility Command
Securityaffairs	4 months ago	Security Affairs newsletter Round 480 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	4 months ago	Mekotio Trojan Targets Latin American Banking Credentials
Trend Micro	5 months ago	Mekotio Banking Trojan Threatens Financial Systems in Latin America
CERT-EU	9 months ago	Google Cloud Run Abused in Massive Banking Trojan Operation
CERT-EU	9 months ago	High-volume malware campaigns involve Google Cloud Run exploitation
CERT-EU	9 months ago	Hackers abuse Google Cloud Run in massive banking trojan campaign
DARKReading	a year ago	Hola Espana: 'Grandoreiro' Trojan Targets Global Banking Customers
CERT-EU	a year ago	Top Malware Trends of May: Cofense Phishing Defense Center (PDC)