On November 3rd, Checkpoint security researchers published an analysis of a new version of the Mekotio trojan that was actively being deployed. Campaigns utilizing this trojan generally target Latin American countries and begin with a phish containing a zip file or link to a zip file. The publication highlighted three changes that make this version of the trojan harder to detect. These updates include the batch file containing 2 added layers of obfuscation, a PowerShell script that runs in memory, and the use of the Themida v3 packer for payloads.
The group behind Mekotio has been operating out of Brazil for some time. Researchers believe the recent arrest of 16 people associated with Mekotio triggered this escalation. Banking trojans such as this generally operate with the goal of stealing account credentials, however, Mekotio has also targeted cryptocurrency transactions in the past.
Banking trojans are still a prevalent threat it this world of ransomware attacks. Just like with ransomware, the number one vector for compromise is a phishing email. When the attachment for Mekotio is opened, the added layers of obfuscation and the PowerShell script running in memory create a difficult situation for defenders. Combining a vigilant Security Operations Center (SOC) with proactive threat hunting, such as the services provided by Binary Defense, helps to shore up defenses and mitigate losses if and when an incident occurs.