Posted on Leave a comment

The Mekotio Banking Trojan Is Back with New stealth techniques.

According to reports, the latest round of attacks is particularly targeting victims in Brazil, Chile, Mexico, Peru, and Spain.Check point researchers reported that , “One of the main characteristics […] is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection.”

The development comes after Spanish authorities arrested 16 members of a criminal network in July 2021 in connection with the operation of Mekotio and another banking virus named Grandoreiro as part of a social engineering campaign targeting European financial institutions.

The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) following a year-long investigation codenamed “Aguas Vivas”.

The Mekotio banking trojan’s operators have reappeared with a change in infection flow in order to remain undetected and avoid protection software while undertaking nearly 100 attacks in the last three months.

Computers, phones and documents were seized over 1,800 spam emails were reviewed, allowing law enforcement to successfully stop transfer efforts totaling €3.5 million. The actors are reported to have made €276,470 from the campaign of which €87,000 has been successfully recovered.

The virus, codenamed “Mekotio” and “Grandoreiro,” worked by intercepting transactions on a banking website and diverting funds to accounts controlled by the hackers. In order to facilitate such fraudulent transactions, at least 68 government email accounts were hacked.

“The money was then divided by sending it to different accounts or withdrawing it.”

The Mekotio malware strain has grown to be capable of infecting Windows PCs as  awaiting tax receipts and includes a link to a ZIP file or a ZIP file as an attachment. When you open the ZIP archive, a batch script is executed, which then executes a PowerShell script to download a second-stage ZIP file.

An AutoHotkey (AHK) interpreter, an AHK script and the Mekotio DLL payload are all contained in this additional ZIP file, which runs the DLL payload to harvest passwords from online banking sites.

Finally Check point’s Kobi Eisenkraft concluded that “As a result, the arrests put a stop to the Spanish gangs’ activities, but not to the primary cybercrime groups behind Mekotio.” The Mekotio banker represents a very real risk of obtaining usernames and password in order to access to financial institutions.

Indicators of Compromise

Batch Sha1

09a536c2260d01fe9de33b905cde75685360cd3d

106a719cecf90db98fb3a79bf22435acafcf6e4f

134b1b4e2726117b0bf5ac7670f37e10f40ccc31

24965ac9150a86085aa36b953ef3b181ef2007b5

40ce61f375fbebf809bf55f7dba93c890ac990ac

412c522f180d6d773b892e92e45c72780a9f491c

4178e160fdff914718b55ded12808189939453bb

561bff9aa9c807b937b460ef3d2cf0f710ff3eb5

5a9d4e41d677d0caadf232b7cdcfe51cde38ed77

5bc7099f709e1ae1ac0354fa99a32703e6306a6d

87cbb5e4bae97f51e22668634ebc764e6a863a68

87d9f2c95835a1ad9c2397d0f776eb8f2e08125c

c3b93e8d68614447f462d001b7a44ccc7c3c9e52

c7b3f093a320ffd2b9667c79622a42d88e2b68ac

d1404272a3d23b143fc9fec377577cab715d9838

d884cd7ac1664d1227214fe21e6ef7f657fa69a5

dfde9908dc5395f9dfb4b9dae00f4a3fb555af5c

fc24562b2efc77dc6174abf592fe68051751b678

Links to first zip

20.206.121[.]1/arquivo.php

40.90.192[.]58/factura0001450000g9.zip

lianzafacture[.]eu/75rg6ty7.php?e=desktop-pc

onflicitoesar[.]eu/75rg6ty7.php?e=desktop-pc

ontabilidadms[.]eu/75rg6ty7.php?e=desktop-pc

c2-3-143-67-171.us-east-2.compute.amazonaws[.]com/arquivo.php

taingenieria[.]eu/75rg6ty7.php?e=desktop-pc

erdfacturaa[.]top/arquivo.php

dfcompros[.]com/arquivo.php

emg-compl[.]com/75rg6ty7.php?e=desktop-pc

pyddteres[.]hopto.org/75rg6ty7.php?e=desktop-pc

ubbencion[.]australiaeast.cloudapp.azure[.]com/75rg6ty7.php?e=desktop-pc

ubbencion[.]eu/75rg6ty7.php?e=desktop-pc

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply