A banking trojan “Mekotio” has targeted Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies.
It has been reported by cybersecurity firm ESET that “Mekotio” has been active since approximately March 2018. Since then, threat actors have been continuously upgrading the capabilities and range of attack, mostly known by targeting over 51 banks.
However, the trojan is now focusing on Bitcoin (BTC), instead of just stealing banking details, as this implies that Mekotio is targeting individual users.
The malicious campaigns were delivered through phishing e-mails by the hackers, and are directed mostly toward Chile and other countries in that region. Still, there have been some cases in Spain reported.
Likewise, the research specifies that a link is included inside the e-mail body, where users click on it and download a .zip file. Once the user unzips the file, a .msi installer appears. If the user installs it, Mekotio’s attack is successful.
Daniel Kundro, a cybersecurity expert at ESET, explained that Mekotio replaces the BTC wallet addresses copied in the clipboard. If the victim wants to make a crypto transfer by copying and pasting a wallet address instead of writing it manually, the exploit replaces the victim’s wallet address with the criminal’s.
It has been analyzed that Kundro warns that cybercriminals behind Mekotio don’t use a single wallet address to receive their stolen BTC, as they often use several BTC wallets to avoid easy transaction tracing.
Thus, the trojan is not limited to just stealing crypto and banking details, it also deploys an attack to steal passwords stored in web browsers.