A dangerous banking Trojan is targeting people living in Brazil, Chile, Mexico, Spain, Peru and Portugal, according to a warning from researchers at one of the world's best antivirus companies.
They say that the Mekotio banking Trojan, which first began circulating the web five years ago, has accumulated advanced backdoor capabilities in that time.
- Best VPN: keep your identity protected when using banking apps
- Best antivirus: stay protected when online at home and on mobile
- Just in: Your Alexa account can be hacked with one nasty link
Backdoor capabilities
The researchers from cybersecurity firm ESET say that the Trojan is capable of “taking screenshots, restarting affected machines, restricting access to legitimate banking websites, and, in some variants, even stealing bitcoins and exfiltrating credentials stored by the Google Chrome browser.”
ESET noted in a blog post how Mekotio has similarities to other banking Trojans that it’s researched in the past, such as “being written in Delphi, using fake pop-up windows and containing backdoor functionality”.
Mekotio is even capable of making itself looking “less suspicious” and subsequently deceiving users by masquerading as a security update “using a specific message box.”
As well as this, the malware can then go on to exfiltrate firewall configurations, admin rights, Windows version information, and details about any security solutions installed on the device.
Crippling machines
After infecting machines with the malware, threat actors can even “cripple the victim’s machine by attempting to remove all files and folders in the C:\Windows tree.”
Robert Šuman, who led the Mekotio research team, said: “For researchers, the most notable feature of the newest variants of this malware family is its use of an SQL database as a C&C server and how it abuses the legitimate AutoIt interpreter as its primary method of execution.”
In their study, the researchers also explored the way that Mekotio is circulated and found that this is done mainly through spam. Overall, they have discovered 38 distribution chains.
ESET went on to say that “most of these chains consist of several stages and end up downloading a ZIP archive”, adding that this is “a well-known behavior of Latin American banking trojans”.
Suman added: “Mekotio has followed a rather chaotic development path, with its features being modified very often. Based on its internal versioning, ESET believes there are multiple variants being developed simultaneously.”
Stay alert
Jake Moore, a security specialist at ESET, told Tom’s Guide: “This acts as yet another reminder to be careful with what you download. Trojans can be extremely difficult to spot immediately yet there are ways to identify this wolf in sheep’s clothing. Firstly, you must always verify the origin of any email enticing you to click or download an attachment – especially from unsolicited contact.
He added: “The reviews and the download count (where possible) are the next giveaway. If the reviews suggest something is up or the download count is way under what you would expect to see then it’s time to avoid it.
“Research is your best friend when it comes to downloading anything to your device but if you are placing anything on your device that you are unsure of, it naturally comes with a risk attached.”
- Read more: Stay protected on your mobile with the best iPhone VPN
