The Mekotio banking trojan continues to be used in new attacks, despite the arrests of people associated with its propagation, according to a new report.
Security researchers at Check Point Research found the malware in new attacks and discovered it uses new tactics to avoid detection.
“The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio distribution in July,” according to Check Point Research (CPR). “It appears that the gang behind the malware were able to narrow the gap quickly and change tactics to avoid detection.”
As soon as the arrests were announced, the Mekotio malware developers — believed to be based in Brazil — quickly updated their malware with new features designed to prevent detection.
Mekotio continues to distribute phishing emails that contain malicious links or malicious .ZIP files.
The phishing email sent to victims claims there is a digital tax receipt pending submission. When the victims click the link in the email, a malicious .ZIP archive is downloaded from a malicious website.
An analysis of more than 100 attacks in recent months revealed the use of a simple obfuscation method and a substitution cipher to bypass detection by cyber security products.
RELATED RESOURCE
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email security
As well as that, the trojan developers appear to have included a batch file, which has been redesigned with several levels of obfuscation, and a new PowerShell script for malware. It also uses Themida, a legitimate program that prevents the malware from cracking or reverse engineering. With these methods, the final Trojan payload is protected.
Once installed on a victim’s machine, the Mekotio trojan attempts to steal credentials for banks and financial services and transfer them to a criminal-controlled command-and-control (C2) server.
Researchers said that banking trojans are commonplace in Latin America.
“One of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection,” researchers said.
“Our analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions, bypass security filtering, and trick users. To protect yourself against this type of attack, be suspicious of any email or communication from a familiar brand or organization that asks you to click on a link or open an attached document.”
-
Dragging your feet on Windows 11 migration? Rising infostealer threats might change thatNews With the clock ticking down to the Windows 10 end of life deadline in October, organizations are dragging their feet on Windows 11 migration – and leaving their devices vulnerable as a result.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
CronRat Magecart malware uses 31st February date to remain undetectedNews The malware allows for server-side payment skimming that bypasses browser security
-
“Trojan Source” hides flaws in source code from humansNews Organizations urged to take action to combat the new threat that could result in SolarWinds-style attacks
-
What is Emotet?In-depth A deep dive into one of the most infamous and prolific strains of malware
-
Fake AnyDesk Google ads deliver malwareNews Malware pushed through Google search results
-
Hackers use open source Microsoft dev platform to deliver trojansNews Microsoft's Build Engine is being used to deploy Remcos password-stealing malware
-
Android users told to be on high alert after Cerberus banking Trojan leaks to the dark webNews The source code for the authenticator-breaking malware is available for free on underground forums
-
Qbot malware surges into the top-ten most common business threats
News An evolved form of the banking Trojan was distributed by number one-ranking Emotet in a campaign that hit 5% of businesses globally
-
BlackRock banking Trojan targets Android apps
News Trojan steals login credentials and credit card information and has targeted more than 300 apps
