Banking Trojan Expands Its Scope - Mekotio Now Targets Cryptocurrencies Across Latin America

Mekotio banking Trojan, originally known for targeting banking customers in Chile, has been expanding its scope both geographically and tactically. Mekotio is the second banking malware observed doing this within this week. Previously, the BlackRock Android malware was spotted expanding its scope by targeting non-financial applications.

Mekotio expands across Latin America

Mekotio Trojan operators have been regularly updating their malware to cover more financial organizations across several Latin American countries, as well some new enhancements have been observed recently.

  • Researcher found several variants of Mekotio Trojan that were registered to specifically target users in Spain. Besides normal banking services, it would also targeted e-banking users from a small set of countries.
  • The malware spreads through spam emails that use social engineering tactics, like impersonating the identity of government or private agencies to lure the users into clicking on malicious links included in the message body. 
  • Mekotio can steal banking credentials stored in some web browsers such as Google Chrome and Opera. Additionally, it has been updated with the functionality of replacing the bitcoin wallet addresses copied to the clipboard by the attacker's wallet address.


A brief history of Mekotio

Since its first detection in March 2018, Mekotio’s developers have been making gradual improvements in this Windows-based malware, which is developed in Embarcadero Delphi.

  • In July 2018, the Mekotio malware was seen targeting Chilian users, by impersonating the identity of the Chilean Courier company Chilexpress, spreading malicious code that seeks to steal personal information from unsuspecting users who follow email links.
  • In May 2019, Mekotio evolved further, adding several layers of obfuscation in the code, using social engineering techniques via emails to impersonate known entities in Chile.
  • In Aug 2019, some samples of Mekotio were observed posing as a Chilean telephone service company to targets its victims. By now, it had moved outside Chile and spread across Brazil, Peru, Columbia, and India.


Current coverage

As of now, Mekotio malware has a presence in Chile (having the highest detection), followed by Brazil and Mexico (medium level of detection), and then Peru, Colombia, Argentina, Ecuador, and Bolivia.