Mekotio, a family of banking trojans that targets Windows systems present in South America and distributed through malicious campaigns aimed at specific countries, such as Chile or Spain, among others.
On this occasion we analyze its characteristics in greater depth, the stages of its infections and its malicious capabilities, among which the theft of cryptocurrencies and banking credentials stands out.
Since its first detection, the cybercriminals behind this threat, have been implementing changes and updates. Although these changes have added, removed and/or modified functionalities, the objective remains constant: to do everything possible to obtain money or access credentials from their victims' online banking service.
Regarding Mekotio detections in Latin America, Chile is the country with the highest number by a wide margin, followed by Brazil and Mexico, with a medium level of detections, and then by Peru, Colombia, Argentina, Ecuador, and Bolivia, which have a low level of detections. The rest of the Latin American countries did not show a significant level of detections. And recently, several cases have been reported in Spain.
It is important to note that a low number of detections does not imply that the threat is not present in other countries. In turn, it should be considered that, if attackers deemed it profitable, there could be new campaigns targeted specifically at countries that currently have almost no detections, as is the case with Spain.
This analysis was carried out mainly on the CY variant of Mekotio, which is aimed at users in Chile, the country most affected by this family. However, many of the characteristics, malicious activities, and other observations made during this analysis also apply to other variants spread in other countries, since they are all part of the same family and, therefore, show similarities.
The infection process begins with a spam campaign. Generally, The sent emails make use of social engineering to simulate being legitimate emails and impersonate the identity of companies or government agencies with the aim of deceiving the user and getting them to click on the malicious link included in the body of the message.
The replacement of Bitcoin wallet addresses consists of replacing the Bitcoin wallet addresses copied to the clipboard with the attacker's wallet address. In this way, if an infected user wants to make a transfer or a deposit to a specific address and uses the copy command instead of typing it manually, when trying to paste it, the address they intended to transfer to will not be pasted, but the attacker's address. If the user does not notice this difference and decides to proceed with the operation, they will end up sending the money directly to the attacker.