Mekotio Banking Trojan Threatens Financial Systems in Latin America

    Monday, July 29, 2024 In: Threat Research Print

    Date: 07/05/2024

    Severity: Medium

    Summary

    The "Mekotio" banking trojan poses a significant threat to financial systems in Latin America. This malware targets online banking users through phishing campaigns and malicious downloads, aiming to steal sensitive financial information such as login credentials and banking details. Mekotio is capable of keylogging, capturing screenshots, and manipulating web sessions to carry out fraudulent transactions. Its prevalence underscores the importance of robust cybersecurity measures, including awareness of phishing tactics and up-to-date antivirus software, to mitigate risks to individuals and financial institutions in the region.

    Indicators of Compromise (IOC) List

    URL/Domain

    tudoprafrente.org

    tudoprafrente.co

    https://intimaciones.afip.gob.ar.kdental.cl/Documentos_Intimacion/

    https://techpowerup.net/cgefacturacl/descargafactmayo/eletricidad/

    https://christcrucifiedinternational.org/descargafactmayo/eletricidad/

    IP Address

    23.239.4.149

    68.233.238.122

    34.117.186.192

    68.221.121.160

    Hash

    5e92f0fcddc1478d46914835f012137d7ee3c217

f68d3a25433888aa606e18f0717d693443fe9f5a

3fe5d098952796c0593881800975bcb09f1fe9ed

1087b318449d7184131f0f21a2810013b166bf37

ef22c6b4323a4557ad235f5bd80d995a6a15024a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname IN (“tudoprafrente.org” , “tudoprafrente.co”) or url IN (“tudoprafrente.org”, “tudoprafrente.co”)

    userdomainname IN (“intimaciones.afip.gob.ar.kdental.cl”) or url IN (“https://intimaciones.afip.gob.ar.kdental.cl/Documentos_Intimacion/”)

    userdomainname IN (“techpowerup.net”) or url IN (“https://techpowerup.net/cgefacturacl/descargafactmayo/eletricidad/”)

    userdomainname IN (“christcrucifiedinternational.org”) or url IN (“https://christcrucifiedinternational.org/descargafactmayo/eletricidad/”)

    IP Address

    dstipaddress IN (“23.239.4.149”) or ipaddress IN (“23.239.4.149”) or publicipaddress IN (“23.239.4.149”) or srcipaddress IN (“23.239.4.149”)

    dstipaddress IN (“68.233.238.122”) or ipaddress IN (“68.233.238.122”) or publicipaddress IN (“68.233.238.122”) or srcipaddress IN (“68.233.238.122”)

    dstipaddress IN (“34.117.186.192”) or ipaddress IN (“34.117.186.192”) or publicipaddress IN (“34.117.186.192”) or srcipaddress IN (“34.117.186.192”)

    dstipaddress IN (“68.221.121.160”) or ipaddress IN (“68.221.121.160”) or publicipaddress IN (“68.221.121.160”) or srcipaddress IN (“68.221.121.160”)

    Hash

    sha1hash IN (“5e92f0fcddc1478d46914835f012137d7ee3c217”)

sha1hash IN (“f68d3a25433888aa606e18f0717d693443fe9f5a”)

sha1hash IN (“3fe5d098952796c0593881800975bcb09f1fe9ed”)

sha1hash IN (“1087b318449d7184131f0f21a2810013b166bf37”)

sha1hash IN (“ef22c6b4323a4557ad235f5bd80d995a6a15024a”)

    Reference:

    https://www.trendmicro.com/en_ae/research/24/g/mekotio-banking-trojan.html

    https://thecyberexpress.com/surge-mekotio-banking-trojan-latin-america/

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.