HomesecurityThe banking trojan Mekotio represents notifications for updates

The banking trojan Mekotio represents notifications for updates

A flexible banking Trojan targeting users in Latin America is circulating in many countries, such as Mexico, Brazil, Chile, Spain, Peru and Portugal.

Malware ensures persistence on infected systems and has advanced features such as planting backdoors, stealing bitcoin and extracting credentials.

trojan bitcoin Mekotio

Under the name Mekotio, the trojan collects sensitive information from victims' computers, such as firewall configuration, operating system, if administrator rights and the status of any installed products are enabled antivirus.

One specific behavior for Mekotio is the use of system pop-ups that impersonate system updates.

The Windows pop-up window below contains an error message in Portuguese that states, “We are currently performing security updates on the site! Please try again later! ”

“The Mekotio has several typical backdoor features. It can take screenshots, manipulate windows, simulate mouse actions and keyboard, restart the machine, limit it access "on various banking websites and to inform himself," ESET explained in a report released this week.

Some variants of the trojan can also violate encryption by replacing a Bitcoin wallet address on the clipboard and retrieving saved passwords from your web browser Chrome.

The Trojan is distributed via phishing

ESET research has shown that spam phishing seems to be the primary mode of distribution utilized by the creators of Mekotio.

The email pretends to contain a receipt, but has links that download a malicious one ZIP file associated with this malware.

The trojan is known to have been around since at least 2015. Since 2018, researchers have observed 38 different distribution chains used by Mekotio and other similar strands.

Teo Ehc
Be the limited edition.