According to reports, the latest round of attacks is particularly targeting victims in Brazil, Chile, Mexico, Peru, and Spain.Check point researchers reported that , “One of the main characteristics […] is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection.”
The development comes after Spanish authorities arrested 16 members of a criminal network in July 2021 in connection with the operation of Mekotio and another banking virus named Grandoreiro as part of a social engineering campaign targeting European financial institutions.
The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) following a year-long investigation codenamed “Aguas Vivas”.
The Mekotio banking trojan’s operators have reappeared with a change in infection flow in order to remain undetected and avoid protection software while undertaking nearly 100 attacks in the last three months.
Computers, phones and documents were seized over 1,800 spam emails were reviewed, allowing law enforcement to successfully stop transfer efforts totaling €3.5 million. The actors are reported to have made €276,470 from the campaign of which €87,000 has been successfully recovered.
The virus, codenamed “Mekotio” and “Grandoreiro,” worked by intercepting transactions on a banking website and diverting funds to accounts controlled by the hackers. In order to facilitate such fraudulent transactions, at least 68 government email accounts were hacked.
“The money was then divided by sending it to different accounts or withdrawing it.”
The Mekotio malware strain has grown to be capable of infecting Windows PCs as awaiting tax receipts and includes a link to a ZIP file or a ZIP file as an attachment. When you open the ZIP archive, a batch script is executed, which then executes a PowerShell script to download a second-stage ZIP file.
An AutoHotkey (AHK) interpreter, an AHK script and the Mekotio DLL payload are all contained in this additional ZIP file, which runs the DLL payload to harvest passwords from online banking sites.
Finally Check point’s Kobi Eisenkraft concluded that “As a result, the arrests put a stop to the Spanish gangs’ activities, but not to the primary cybercrime groups behind Mekotio.” The Mekotio banker represents a very real risk of obtaining usernames and password in order to access to financial institutions.
Indicators of Compromise
Batch Sha1
09a536c2260d01fe9de33b905cde75685360cd3d
106a719cecf90db98fb3a79bf22435acafcf6e4f
134b1b4e2726117b0bf5ac7670f37e10f40ccc31
24965ac9150a86085aa36b953ef3b181ef2007b5
40ce61f375fbebf809bf55f7dba93c890ac990ac
412c522f180d6d773b892e92e45c72780a9f491c
4178e160fdff914718b55ded12808189939453bb
561bff9aa9c807b937b460ef3d2cf0f710ff3eb5
5a9d4e41d677d0caadf232b7cdcfe51cde38ed77
5bc7099f709e1ae1ac0354fa99a32703e6306a6d
87cbb5e4bae97f51e22668634ebc764e6a863a68
87d9f2c95835a1ad9c2397d0f776eb8f2e08125c
c3b93e8d68614447f462d001b7a44ccc7c3c9e52
c7b3f093a320ffd2b9667c79622a42d88e2b68ac
d1404272a3d23b143fc9fec377577cab715d9838
d884cd7ac1664d1227214fe21e6ef7f657fa69a5
dfde9908dc5395f9dfb4b9dae00f4a3fb555af5c
fc24562b2efc77dc6174abf592fe68051751b678
Links to first zip
20.206.121[.]1/arquivo.php
40.90.192[.]58/factura0001450000g9.zip
lianzafacture[.]eu/75rg6ty7.php?e=desktop-pc
onflicitoesar[.]eu/75rg6ty7.php?e=desktop-pc
ontabilidadms[.]eu/75rg6ty7.php?e=desktop-pc
c2-3-143-67-171.us-east-2.compute.amazonaws[.]com/arquivo.php
taingenieria[.]eu/75rg6ty7.php?e=desktop-pc
erdfacturaa[.]top/arquivo.php
dfcompros[.]com/arquivo.php
emg-compl[.]com/75rg6ty7.php?e=desktop-pc
pyddteres[.]hopto.org/75rg6ty7.php?e=desktop-pc
ubbencion[.]australiaeast.cloudapp.azure[.]com/75rg6ty7.php?e=desktop-pc
ubbencion[.]eu/75rg6ty7.php?e=desktop-pc
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 