Mekotio

Malware Profile Updated 13 days ago

Download STIX

Preview STIX

Mekotio is a sophisticated and persistent banking trojan that has primarily targeted Latin American countries since at least 2015. This malware, designed to exploit and damage computer systems, typically spreads through phishing emails that employ social engineering tactics. Once inside a system, Mekotio collects information and establishes a connection with a command-and-control (C2) server, which directs the malware's actions. It can capture screenshots, log keystrokes, and steal clipboard data, with its primary objective being to steal banking credentials. Notably, Mekotio has been particularly active in Brazil, Chile, Mexico, Spain, and Peru. Security researchers have recently warned about threat actors abusing Google Cloud Run to distribute massive volumes of banking trojans, including Mekotio, Astaroth/Guildma, and Ousaban. In these campaigns, JavaScript (JS) uses AutoHotKey (AHK) to run the Dynamic Link Library (DLL), which serves as the main Mekotio payload. This innovative misuse of Google Cloud Run allows the attackers to spread their harmful programs more widely and effectively. To ensure its ongoing presence on an infected system, Mekotio employs various persistence mechanisms, such as adding itself to startup programs or creating scheduled tasks. These techniques, coupled with its ability to stealthily infiltrate systems and steal sensitive information, make Mekotio a significant and evolving threat to financial systems worldwide, but especially in Latin America. As such, continuous vigilance and robust cybersecurity measures are crucial to counter this malicious software.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Grandoreiro	2	Grandoreiro is a malicious software (malware) that forms part of a Brazilian banking operation targeting banks worldwide. This malware, along with Guildma, Javali, and Melcoz, represents an expanding threat from Brazil that has begun to impact other countries. Grandoreiro infiltrates systems through

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Trojan

Banking

Malware

Credentials

Clipboard Data

Payload

Exploit

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Astaroth	Unspecified	1	Astaroth, a malicious software (malware), has been identified as a significant threat due to its highly developed evasive skills and information stealing capabilities. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it
Ousaban	Unspecified	1	Ousaban is a malicious software, or malware, specifically a banking trojan developed primarily in Delphi. This harmful program is designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, Ousaban

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Mekotio Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	13 days ago	Security Affairs newsletter Round 480 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	19 days ago	Mekotio Trojan Targets Latin American Banking Credentials
Trend Micro	23 days ago	Mekotio Banking Trojan Threatens Financial Systems in Latin America
CERT-EU	5 months ago	Google Cloud Run Abused in Massive Banking Trojan Operation
CERT-EU	5 months ago	High-volume malware campaigns involve Google Cloud Run exploitation
CERT-EU	5 months ago	Hackers abuse Google Cloud Run in massive banking trojan campaign
DARKReading	9 months ago	Hola Espana: 'Grandoreiro' Trojan Targets Global Banking Customers
CERT-EU	a year ago	Top Malware Trends of May: Cofense Phishing Defense Center (PDC)