Melcoz

Melcoz is a relatively outdated banking Trojan that originates from Brazil, but it has recently expanded its operations to target victims in Chile and Mexico. The threat is based on an old open-source project known as Remote Access PC, a Remote Access Trojan that is frequently adopted and reworked by cybercriminals. The operators of Melcoz, however, do not need full remote access to the victim's machine and, instead, they use the Trojan to only manipulate certain applications that are being used on the compromised system.

The Melcoz is being spread via phishing emails that are urge the user to download and install an important piece of software but, in reality, they will install a decoy program that will silently deploy the Melcoz Banking Trojan in the background. Once Melcoz is operational, it will monitor the user's activity, and inform the attacker whenever an active Web browsing session is detected. It is important to note that the Melcoz Trojan does not execute its attack automatically – instead, it requires the operator to manually interact with the payload in order to display the fake windows and overlays used to perform fraudulent transactions and bypass two-factor authentication measures.

The Melcoz Trojan Payload May be Custom-built for Each Region

Cybersecurity experts note that different versions of the Melcoz had been tailored according to the region they were about to target – for example, the samples in Chile and Mexico were protected via commercial software packers.

Apart from targeting online banking portals, the Melcoz also specializes in clipboard hijacking – it monitors the victim's clipboard and checks for contents that match a valid Bitcoin wallet address. If a match is found, the Melcoz will replace the wallet copied by the user with one owned by the attackers, therefore tricking them into sending their Bitcoins elsewhere.

Despite serving very specific purposes, the Melcoz can still be stopped by using a regular anti-malware application that receives regular updates.