Mekotio

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Mekotio is a type of malware, specifically a banking trojan, that has been in use for several years, primarily focusing on the Latin American region. It is delivered as part of a malicious attack sequence, often following an initial Astaroth infection. Mekotio allows credential phishing through fraudulent banking platforms and facilitates browser manipulation, enabling the theft of banking credentials and personal data. The malware uses AutoHotKey (AHK) to run its main payload, a DLL file, once it has infiltrated the system. Since September 2024, security researchers have observed numerous high-volume attacks deploying Mekotio, along with two other banking trojans, Astaroth/Guildma and Ousaban, across several Latin American countries. These attacks involved the exploitation of Google Cloud Run service, a cloud computing platform, which was abused by hackers to distribute these banking trojans at massive volumes. This misuse of Google's service by threat actors to spread harmful software led to widespread warnings from cybersecurity experts. The victims of these attacks are typically part of an upwardly mobile general population with a growing middle class, leading to a larger pool of potential victims. Due to a lack of awareness around phishing and malware threats, there is a higher likelihood of individuals clicking on suspicious links and becoming affected. Mekotio, along with other common malware families such as Grandoreiro, Casabeniero, and Javali, share a lineage back to a Delphi-based ancestor, indicating that their source code components have been passed down and modified through generations.
What's your take? (Question 1 of 0)
a9f1114e-84c0-453c-8b28-e9234a7e81b4 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Mekotio Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Top Malware Trends of May: Cofense Phishing Defense Center (PDC)
CERT-EU
3 months ago
Google Cloud Run Abused in Massive Banking Trojan Operation
CERT-EU
3 months ago
Hackers abuse Google Cloud Run in massive banking trojan campaign
CERT-EU
3 months ago
High-volume malware campaigns involve Google Cloud Run exploitation
DARKReading
7 months ago
Hola Espana: 'Grandoreiro' Trojan Targets Global Banking Customers