South America targeted by a crypto-stealing banking trojan

Written by

Written on Jul 18, 2020

Reading time 2 minutes

Latin American countries seem to be targeted by a new wave of crypto-oriented attacks.
The attacks are conducted via a malware know as Mekotio — a well-known banking trojan.
The trojan is responsible for targeting over 50 banks in two years, and now, it aims to steal BTC.

Amid recent major hacks and crypto scams, experts are now warning of yet another danger, which comes in the form of an entire family of banking trojans. From what is known, the trojans are targeting Latin American countries, and particularly Windows users residing within them.

The family of trojans was reported recently by a cybersecurity company called ESET. According to their report, the malware is called Mekotio, and it has been around for well over two years, now. Researchers managed to trace its activity back to March 2018.

However, between then and now, the malware was upgraded time after time. Each time, it would receive new functionalities and capabilities, while its range of attack kept growing. In total, it is believed that it targeted over 50 banks so far.

These days, however, the trojan is after Bitcoin. It is targeting individuals who are responsible for their own coins’ security, which makes them easy targets.

How does the attack work?

From what is known, the malware tends to infect their victims via phishing emails that hackers are sending. Most attacks seem to have been directed towards Chile and the surrounding countries. However, Spain also suffered a fair bit of attacks.

Emails that victims receive contain a .zip file, which gets downloaded to their device after the victim clicks on it. If the user unzips the file, they will see a .msi installer. Once they finish the installation, the attack is considered successful, and Mekotio replaces their BTC wallet address with the one belonging to the hackers.

Furthermore, hackers seem to own several BTC addresses, in order to avoid being traced easily.

Even worse, the trojan also seems to be able to steal passwords that users may have stored within their browsers. This is only the latest of such hacks, as plenty of similar campaigns were reported over the last few months, such as a scam where hackers stole XRP users’ secret keys, or the one where they use ProLock ransomware to demand six-figure USD ransoms paid in BTC.