Mekotio Banking Trojan Threatens Financial Systems in Latin America

    Monday, July 29, 2024 In: Threat Research Print

    Date: 07/04/2024

    Severity: Medium

    Summary

    Recently, Mekotio, a sophisticated banking trojan active since at least 2015, has targeted Latin American countries, especially Brazil, Chile, Mexico, Spain, and Peru, aiming to steal banking credentials through phishing emails and malicious links. It shares origins with other Latin American malware like Grandoreiro, indicating a common threat landscape.

    Indicators of Compromise (IOC) List

    URL/Domain

    tudoprafrente.org

    tudoprafrente.co

    https://intimaciones.afip.gob.ar.kdental.cl/Documentos_Intimacion/

    https://techpowerup.net/cgefacturacl/descargafactmayo/eletricidad/

    https://christcrucifiedinternational.org/descargafactmayo/eletricidad/

    IP Address

    23.239.4.149

    68.233.238.122

    34.117.186.192

    68.221.121.160

    Hash

    5e92f0fcddc1478d46914835f012137d7ee3c217

f68d3a25433888aa606e18f0717d693443fe9f5a

3fe5d098952796c0593881800975bcb09f1fe9ed

1087b318449d7184131f0f21a2810013b166bf37

ef22c6b4323a4557ad235f5bd80d995a6a15024a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname IN (“tudoprafrente.org”) or url IN (“tudoprafrente.org”)

     

    userdomainname IN (“tudoprafrente.co”) or url IN (“tudoprafrente.co”)

     

    userdomainname IN (“intimaciones.afip.gob.ar.kdental.cl”) or url IN (“https://intimaciones.afip.gob.ar.kdental.cl/Documentos_Intimacion/”)

     

    userdomainname IN (“techpowerup.net”) or url IN (“https://techpowerup.net/cgefacturacl/descargafactmayo/eletricidad/”)

     

    userdomainname IN (“christcrucifiedinternational.org”) or url IN (“https://christcrucifiedinternational.org/descargafactmayo/eletricidad/”)

    IP Address

    dstipaddress IN (“23.239.4.149”) or ipaddress IN (“23.239.4.149”) or publicipaddress IN (“23.239.4.149”) or srcipaddress IN (“23.239.4.149”)

     

    dstipaddress IN (“68.233.238.122”) or ipaddress IN (“68.233.238.122”) or publicipaddress IN (“68.233.238.122”) or srcipaddress IN (“68.233.238.122”)

     

    dstipaddress IN (“34.117.186.192”) or ipaddress IN (“34.117.186.192”) or publicipaddress IN (“34.117.186.192”) or srcipaddress IN (“34.117.186.192”)

     

    dstipaddress IN (“68.221.121.160”) or ipaddress IN (“68.221.121.160”) or publicipaddress IN (“68.221.121.160”) or srcipaddress IN (“68.221.121.160”)

    Hash

    sha1hash IN (“5e92f0fcddc1478d46914835f012137d7ee3c217”)

sha1hash IN (“f68d3a25433888aa606e18f0717d693443fe9f5a”)

sha1hash IN (“3fe5d098952796c0593881800975bcb09f1fe9ed”)

sha1hash IN (“1087b318449d7184131f0f21a2810013b166bf37”)

sha1hash IN (“ef22c6b4323a4557ad235f5bd80d995a6a15024a”)

    Reference:

    https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html

     

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.