[German]Banking Trojan Mekotio returns in Latin AmericaCheck Point reports that the sophisticated banking Trojan Mekotio has returned in Latin America. In July this year, Spanish police had caught 16 suspects for money laundering related to the malware. Now the malware is attacking Spanish-speaking countries. The originator of the new version seems to be a Brazilian criminal gang, according to Check Point. I'm surprised, since Portuguese is spoken in Brazil, not Spanish. Anyway, Check Point already blocked over 100 attacks.
Advertising
Check Point Research (CPR), the Check Point® Software Check Point® Software Technologies Ltd. points out in a report that the attack starts with a spoofing email under a false brand name. The mail has the subject running: "digital tax receipt pending submission" – meaning: digital payment request needs approval. The security researchers suspect a group of Brazilian – actually with it Portuguese-speaking – criminals behind the new campaign and believe that they also rent the malware to other groups – a now common model on the black market. So far, citizens in Brazil, Chile, Mexico, Peru, and once again Spain have been most affected.
Figure: Attack path of the banking Trojan Mekotio
Mekotio targets Windows computers and remains hidden for the time being after the intrusion, evading virus scanners until the computer's user logs into his electronic bank account via the Internet. At that moment, the malware steals its access information. The new version has been strengthened in these capabilities.
The malware is spread via a Spanish-language phishing message (see above) that contains a link to a contaminated zip archive or has one attached. If this is downloaded and unzipped, Mekotio secretly starts its work. An interesting trick, which is why the malware is hardly detected by security solutions: It uses an outdated encryption called substitution cipher to hide its files, which modern virus scanners often fail to detect. On the other hand, the developers use a new, commercially distributed software called Themida to encrypt the malware's payload in a very sophisticated way, as well as integrating anti-debug and anti-monitoring as features.
Advertising
The security researchers urge the citizens of the countries to be extra cautious about the emails and advise the use of two-factor authentication, which makes the theft of the login credentials to the e-bank account alone useless. More on Mekotio can be found here.
Advertising
