A flexible banking Trojan targeting users in Latin America is circulating in many countries, such as Mexico, Brazil, Chile, Spain, Peru and Portugal.
Malware ensures persistence on infected systems and has advanced features such as planting backdoors, stealing bitcoin and extracting credentials.
Under the name Mekotio, the trojan collects sensitive information from victims' computers, such as firewall configuration, operating system, if administrator rights and the status of any installed products are enabled antivirus.
One specific behavior for Mekotio is the use of system pop-ups that impersonate system updates.
The Windows pop-up window below contains an error message in Portuguese that states, “We are currently performing security updates on the site! Please try again later! ”
“The Mekotio has several typical backdoor features. It can take screenshots, manipulate windows, simulate mouse actions and keyboard, restart the machine, limit it access "on various banking websites and to inform himself," ESET explained in a report released this week.
The Trojan is distributed via phishing
ESET research has shown that spam phishing seems to be the primary mode of distribution utilized by the creators of Mekotio.
The email pretends to contain a receipt, but has links that download a malicious one ZIP file associated with this malware.
The trojan is known to have been around since at least 2015. Since 2018, researchers have observed 38 different distribution chains used by Mekotio and other similar strands.