On November 3rd, Checkpoint security researchers published an analysis of a new version of the Mekotio trojan that was actively being deployed. Campaigns utilizing this trojan generally target Latin American countries and begin with a phish containing a zip file or link to a zip file. The publication highlighted three changes that make this version of the trojan harder to detect. These updates include the batch file containing 2 added layers of obfuscation, a PowerShell script that runs in memory, and the use of the Themida v3 packer for payloads.
The group behind Mekotio has been operating out of Brazil for some time. Researchers believe the recent arrest of 16 people associated with Mekotio triggered this escalation. Banking trojans such as this generally operate with the goal of stealing account credentials, however, Mekotio has also targeted cryptocurrency transactions in the past.