Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz).

That’s according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware.

Mekotio, known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an aim to steal banking credentials.

First documented by ESET in August 2020, it’s part of a tetrade of banking trojans targeting the region, such as Guildma, Javali, and Grandoreiro, the latter of which was dismantled by law enforcement earlier this year.


“Mekotio shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows, containing backdoor functionality and targeting Spanish- and Portuguese-speaking countries,” the Slovakian cybersecurity firm said at the time.

The malware operation suffered a blow in July 2021 when Spanish law enforcement agencies arrested 16 individuals belonging to a criminal network in connection with orchestrating social engineering campaigns targeting European users that delivered Grandoreiro and Mekotio.

Attack chains involve the use of tax-themed phishing emails that aim to trick recipients into opening malicious attachments or clicking on bogus links that lead to the deployment of an MSI installer file, which, in turn, makes use of an AutoHotKey (AHK) script to launch the malware.

The Red Mongoose Daemon Infection Chain

It’s worth noting that the infection process marks a slight deviation from the one previously detailed by Check Point in November 2021, which made use of an obfuscated batch script that runs a PowerShell script to download a second-stage ZIP file containing the AHK script.

Once installed, Mekotio harvests system information and establishes contact with a command-and-control (C2) server to receive further instructions.

Its main objective is to siphon banking credentials by displaying fake pop-ups that impersonate legitimate banking sites. It can also capture screenshots, log keystrokes, steal clipboard data, and establish persistence on the host using scheduled tasks.

The stolen information can then be used by the threat actors to gain unauthorized access to users’ bank accounts and perform fraudulent transactions.

“The Mekotio banking trojan is a persistent and evolving threat to financial systems, especially in Latin American countries,” Trend Micro said. “It uses phishing emails to infiltrate systems, with the goal of stealing sensitive information while also maintaining a strong foothold on compromised machines.”

The development comes as Mexican cybersecurity firm Scitum disclosed details of a new Latin American banking trojan codenamed Red Mongoose Daemon that, similar to Mekotio, utilizes MSI droppers distributed via phishing emails masquerading as invoices and tax notes.

“The main objective of Red Mongoose Daemon is to steal victims’ banking information by spoofing PIX transactions through overlapping windows,” the company said. “This trojan is aimed at Brazilian end users and employees of organizations with banking information.”

“Red Mongoose Daemon has capabilities for manipulating and creating windows, executing commands, controlling the computer remotely, manipulating web browsers, hijacking clipboards, and impersonating Bitcoin wallets by replacing copied wallets with the ones used by cybercriminals.”

Leave a Reply

Your email address will not be published. Required fields are marked *