ESET researchers explored the Mekotio, a Latin American banking trojan targeting Spanish- and Portuguese-speaking countries: mainly Brazil, Chile, Mexico, Spain, Peru and Portugal. Mekotio boasts several typical backdoor activities, including taking screenshots, restarting affected machines, restricting access to legitimate banking websites, and, in some variants, even stealing bitcoins and exfiltrating credentials stored by the Google Chrome browser.
Mekotio has been active since at least 2015 and, as with other banking trojans ESET has investigated, shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows and containing backdoor functionality. To look less suspicious, Mekotio tries to impersonate a security update using a specific message box.
There are many technical details Mekotio is able to access from its victims, including information about the firewall configuration, administrator privileges, the Windows OS version, and a list of anti-fraud products and antimalware solutions installed. One command even tries to cripple the victim’s machine by attempting to remove all files and folders in the C:\Windows tree.
“For researchers, the most notable feature of the newest variants of this malware family is its use of an SQL database as a C&C server and how it abuses the legitimate AutoIt interpreter as its primary method of execution,” elaborates Robert Šuman, the ESET researcher leading the team of investigators focused on Mekotio.
The malware is predominantly distributed via spam. Since 2018, ESET researchers have observed 38 different distribution chains used by this family. Most of these chains consist of several stages and end up downloading a ZIP archive – a well-known behavior of Latin American banking trojans.
“Mekotio has followed a rather chaotic development path, with its features being modified very often. Based on its internal versioning, ESET believes there are multiple variants being developed simultaneously,” adds Šuman.