Mekotio Trojan

The Mekotio Trojan is a banking Trojan that has been active in the cyber-threat landscape since 2018. The first campaigns used to spread the Mekotio Trojan focus on victims in Chile. The malware was delivered via phishing emails that pretended to be from Chilexpress, a famous delivery company in Chile. The recipients were usually asked to download and review an important document that was actually Mekotio Trojan's payload. The first versions of the Mekotio Trojan focus on collecting banking credentials exclusively, but several new updates have enhanced this threat's features greatly, and, unfortunately, its operators also have started to target victims in other countries like India, Peru, Brazil and Columbia.

Nowadays, the Mekotio Trojan is being spread via social media and spam emails, and its creators may often impersonate high-profile government agencies or companies that are active in the targeted region. Users who fall victim to the Mekotio Trojan may have the following information collected from them:

• Mekotio doubles as an infostealer that can hijack saved credentials and payment details from Google Chrome and Opera.
• Mekotio can hijack the Windows clipboard – it checks if the data in the clipboard is a valid Bitcoin wallet address, and replaces it with a wallet provided by the attacker. This may allow them to hijack Bitcoin transactions silently.

The Mekotio Trojan is one of the most active banking malware families at the moment, and it is the second one to see huge improvements in July 2020 – earlier this month, we reported the BlackRock Android Malware that also aims at collecting financial data.

Windows users can stay safe from Mekotio Trojan's attacks by using an up-to-date anti-virus application. On top of this, they should try to be more careful with the files they interact with while browsing the Web – it is recommended to avoid unknown email attachments or files coming from non-trustworthy sources.