Another in our occasional series demystifying Latin American banking trojans
In this installment of our series, we introduce Mekotio, a Latin American banking trojan targeting mainly Brazil, Chile, Mexico, Spain, Peru and Portugal. The most notable feature of the newest variants of this malware family is using a SQL database as a C&C server.
Figure 1. Countries affected by Mekotio
As with many other Latin American banking trojans we have described earlier in this series, Mekotio has followed a rather chaotic development path, with its features being modified very often. Based on its internal versioning, we believe there are multiple variants being developed simultaneously. However, similar to Casbaneiro, these variants are practically impossible to separate from each other, so we will refer to them all as Mekotio.
Characteristics
Mekotio is a typical Latin American banking trojan that has been active since at least 2015. As such, it attacks by displaying fake pop-up windows to its victims, trying to entice them to divulge sensitive information. These windows are carefully designed to target Latin American banks and other financial institutions.
Mekotio collects the following information about its victims:
Firewall configuration
Whether the victim has administrative privileges
Version of the installed Windows operating system
Whether anti-fraud protection products (GAS Tecnologia Warsaw and IBM Trusteer[1]) are installed
List of installed antimalware solutions
Mekotio ensures persistence either by using a Run key or creating an LNK file in the startup folder.
As is common for most Latin American banking trojans, Mekotio has ..
Support the originator by clicking the read the rest link below.
