Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command

    Friday, September 6, 2024 In: Threat Research Print

    Date: 09/06/2024

    Severity: Critical

    Summary

    Latin America is experiencing a surge in phishing scams that deploy banking Trojans like the infamous Mekotio, BBTok, and Grandoreiro. The criminals responsible for these banking Trojans are utilizing judicial-themed phishing emails, in addition to traditional business-related traps, to reach their victims. Our analysis of Mekotio indicates that these cybercriminals may soon broaden their targets beyond the Latin American region.

    Indicators of Compromise (IOC) List

    Domains/URLs

    http://37.148.205.26/contadores/m4Ii5mn.php?loTX=w9d2PIfe8t72FHhKOw1PN1EQWGP2ylYFYLIMtZka0UPFOkYTUjq44k8tdOQhFkfeE1u

    http://37.148.205.26/contadores/m4Ii5mn.php?loTXe

    https://crgaestudiojuridicoujko.isageek.net/

    https://2aqrfdiqfew5tzlstrkfkkblzaorktbrjncti27mgpo4hd2legdanlz40gss.b-cdn.net/

    https://c0m45f8wfr0attwgobf8ixlakeamcnku4ufvlnlokhuqjycvbhrmx2nruv1p.b-cdn.net/

    https://5os4x7kavxy11gje3lfkghuqbwswtgmf4jmy3fx0foosdp1esfdmtlms2pzi.b-cdn.net/

    https://3xs8fbp6rb5odi8ysqkatfxjziedfpv1jbjo00upg7gqo6unq9xtj4o3ttog.b-cdn.net/

    http://50.62.182.1/contadores/37.148.205.26:9095

    Hash

    f9f43ae7f455bdaddc0ace89cf1e7458e9963a38

9a0c241e182f81dd498354f7546e47c6255c14f0

3c15b6eba84e2a3551b6af19ad0ab651d2f1594f

50e471381a14a8c728a54294d75797163ce6922e

8cd5bf92cfdc95bcee5c47b2cf86b3be2b8730f6

09672e9208fd30511ed8d779f5769b159116c88b

0199e31719ee5d611385af31fb3821d40473a46f

6d93b56c6066d8a495de0e36e20388ce86267c44

7a822478cbd318c09bbc98f16544e5e1e4cbae9a

e8e3e4eaff9d523b9c51c546989e636ee29558ef

90d1fa684ed6f44b6bd858858791e8695a04799b

54b1a42b0c4af1d46307e16f67e44dde2f6ff24a

45ff1a197d57047c1b59dae7c3e18f309958eb19

0f34c7bd4a6cab705434b6834b51099d988ffa69

080cfe8a4e7dcd388cf5459fcce96b2b1a7090ba

4d3e97b9f8b1ffc17b7c8c00710d7260bde3fa4a

974404a00d0dcbd11e2a50650f0d80674c13bdde

0a9bba01290233999c9298605cb878bf20296087

2a06d162f1d461f36fa63002e055223ec07da02e

a65d19c1a3ddc7cb01217dd25757e080b9023c90

988863c5cde6ce19863c455474a77c49c86072e1

4f6b13e2d863f6826a4e69ad0ca84c61cd9822f2

a8efbcc60315590f70460de75c03e798fd481f26

a4dd8adc9b7b282700bec089f3204eccb64d2c0e

01aa8ea7d37ffbea60b567d4d1b9fa5b4093586c

d1964a6fe0edb2af4c3e86ab829ed7d527de4f23

5b7ed30b3639e2514f7b2fc0e3f9515a539ba287

acd04413c6432fd3ffa37ef33bb983d2a7b575eb

6299c046bf1e01a88c0fdc2953eea68995c8acf8

88379ac5a62950c9a8c61ec6c8dfb3d8b532c662

acb3242443827598e9a3367fd4e35f2b679e619a

9276b03c5d713ba51bab13873dfdb40b28f2a7d8

c782c9a11fcd6d43055aeeaed714a46a85c5b5e0

1891b4f0737b080df18e4833ef90f1d05c696e1d

98c8fcc63f8447b7049e23a9b1991032d679b887

592bd68232eefdcc1ad5f9a6262b75c878c7e6e0

4638cf376eeef422ba1c865891a2b00150bdeed4

8ec8f961ffdb43bf3462360f143444aa9f849f8c

93ee0b789fba41aa227f4d7b4a39698fc3a89750

6db84b5801a8051f50fa0cc892f73d019188da80

39f201e22496af8fb55128eaeaac95789d37f9c2

d33ed76c556857ba218287d36ab11e7af14181dc

6a565360b6d1a1f122ae750f168e8f5a6822e0f7

f96b317469440163d8c883add2c9f82d68164fdc

0199e31719ee5d611385af31fb3821d40473a46f

3a3dc310e4ad599f9f2b3d9caf139379c68926a2

07f06d5c230784618eb54fdf952872f7b3dc3854

2149aeec361ec8d4c3596679fa718fc6235e85aa

d581f9f8334e159e2667f67f170471d4ead06c94

a2d7127d6708ee44aec1ab602b11f89956e8d39d

67e01ea92f0dd5840744f62b79a219fd75301b16

5f3580e83d1bb2bcb48d68e6926109b2aa72bbe6

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains/URLs

    userdomainname like "http://37.148.205.26/contadores/m4Ii5mn.php?loTX=w9d2PIfe8t72FHhKOw1PN1EQWGP2ylYFYLIMtZka0UPFOkYTUjq44k8tdOQhFkfeE1u" or url like "http://37.148.205.26/contadores/m4Ii5mn.php?loTX=w9d2PIfe8t72FHhKOw1PN1EQWGP2ylYFYLIMtZka0UPFOkYTUjq44k8tdOQhFkfeE1u" or userdomainname like "http://37.148.205.26/contadores/m4Ii5mn.php?loTXe" or url like "http://37.148.205.26/contadores/m4Ii5mn.php?loTXe" or userdomainname like "https://crgaestudiojuridicoujko.isageek.net/" or url like "https://crgaestudiojuridicoujko.isageek.net/" or userdomainname like "https://2aqrfdiqfew5tzlstrkfkkblzaorktbrjncti27mgpo4hd2legdanlz40gss.b-cdn.net/" or url like "https://2aqrfdiqfew5tzlstrkfkkblzaorktbrjncti27mgpo4hd2legdanlz40gss.b-cdn.net/" or userdomainname like "https://c0m45f8wfr0attwgobf8ixlakeamcnku4ufvlnlokhuqjycvbhrmx2nruv1p.b-cdn.net/" or url like "https://c0m45f8wfr0attwgobf8ixlakeamcnku4ufvlnlokhuqjycvbhrmx2nruv1p.b-cdn.net/" or userdomainname like "https://5os4x7kavxy11gje3lfkghuqbwswtgmf4jmy3fx0foosdp1esfdmtlms2pzi.b-cdn.net/" or url like "https://5os4x7kavxy11gje3lfkghuqbwswtgmf4jmy3fx0foosdp1esfdmtlms2pzi.b-cdn.net/" or userdomainname like "https://3xs8fbp6rb5odi8ysqkatfxjziedfpv1jbjo00upg7gqo6unq9xtj4o3ttog.b-cdn.net/" or url like "https://3xs8fbp6rb5odi8ysqkatfxjziedfpv1jbjo00upg7gqo6unq9xtj4o3ttog.b-cdn.net/" or userdomainname like "http://50.62.182.1/contadores/37.148.205.26:9095" or url like "http://50.62.182.1/contadores/37.148.205.26:9095"

    Hash

    sha1hash IN ("f9f43ae7f455bdaddc0ace89cf1e7458e9963a38","9a0c241e182f81dd498354f7546e47c6255c14f0","3c15b6eba84e2a3551b6af19ad0ab651d2f1594f","50e471381a14a8c728a54294d75797163ce6922e","8cd5bf92cfdc95bcee5c47b2cf86b3be2b8730f6","09672e9208fd30511ed8d779f5769b159116c88b","0199e31719ee5d611385af31fb3821d40473a46f","6d93b56c6066d8a495de0e36e20388ce86267c44","7a822478cbd318c09bbc98f16544e5e1e4cbae9a","e8e3e4eaff9d523b9c51c546989e636ee29558ef","90d1fa684ed6f44b6bd858858791e8695a04799b","54b1a42b0c4af1d46307e16f67e44dde2f6ff24a","45ff1a197d57047c1b59dae7c3e18f309958eb19","0f34c7bd4a6cab705434b6834b51099d988ffa69","080cfe8a4e7dcd388cf5459fcce96b2b1a7090ba","4d3e97b9f8b1ffc17b7c8c00710d7260bde3fa4a","974404a00d0dcbd11e2a50650f0d80674c13bdde","0a9bba01290233999c9298605cb878bf20296087","2a06d162f1d461f36fa63002e055223ec07da02e","a65d19c1a3ddc7cb01217dd25757e080b9023c90","988863c5cde6ce19863c455474a77c49c86072e1","4f6b13e2d863f6826a4e69ad0ca84c61cd9822f2","a8efbcc60315590f70460de75c03e798fd481f26","a4dd8adc9b7b282700bec089f3204eccb64d2c0e","01aa8ea7d37ffbea60b567d4d1b9fa5b4093586c","d1964a6fe0edb2af4c3e86ab829ed7d527de4f23","5b7ed30b3639e2514f7b2fc0e3f9515a539ba287","acd04413c6432fd3ffa37ef33bb983d2a7b575eb","6299c046bf1e01a88c0fdc2953eea68995c8acf8","88379ac5a62950c9a8c61ec6c8dfb3d8b532c662","acb3242443827598e9a3367fd4e35f2b679e619a","9276b03c5d713ba51bab13873dfdb40b28f2a7d8","c782c9a11fcd6d43055aeeaed714a46a85c5b5e0","1891b4f0737b080df18e4833ef90f1d05c696e1d","98c8fcc63f8447b7049e23a9b1991032d679b887","592bd68232eefdcc1ad5f9a6262b75c878c7e6e0","4638cf376eeef422ba1c865891a2b00150bdeed4","8ec8f961ffdb43bf3462360f143444aa9f849f8c","93ee0b789fba41aa227f4d7b4a39698fc3a89750","6db84b5801a8051f50fa0cc892f73d019188da80","39f201e22496af8fb55128eaeaac95789d37f9c2","d33ed76c556857ba218287d36ab11e7af14181dc","6a565360b6d1a1f122ae750f168e8f5a6822e0f7","f96b317469440163d8c883add2c9f82d68164fdc","0199e31719ee5d611385af31fb3821d40473a46f","3a3dc310e4ad599f9f2b3d9caf139379c68926a2","07f06d5c230784618eb54fdf952872f7b3dc3854","2149aeec361ec8d4c3596679fa718fc6235e85aa","d581f9f8334e159e2667f67f170471d4ead06c94","a2d7127d6708ee44aec1ab602b11f89956e8d39d","67e01ea92f0dd5840744f62b79a219fd75301b16","5f3580e83d1bb2bcb48d68e6926109b2aa72bbe6")

    Reference:

    https://www.trendmicro.com/en_us/research/24/i/banking-trojans-mekotio-looks-to-expand-targets--bbtok-abuses-ut.html 


    Tags

    MalwareTrojanPhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.