Mekotio distribution campaign targeting LATAM



The following report describes the identified TTPs and IOCs of a campaign that is distributing the Mekotio banking trojan in LATAM. It was identified and analyzed by SCILabs while conducting a threat hunting during the third week of September and has been monitored in the last days by the team. This trojan aims to steal information from multiple banking institutions using fake forms to impersonate original sites and capture bank credentials, in addition the trojan also seeks to hijack cryptocurrency transactions by replacing wallets copied to the clipboard by the cybercriminals’ wallet.


During the investigation, no further details were obtained about how this campaign is being delivered; however, based on the evidence collected, SCILabs considers the use of phishing by email and websites as the main initial attack vectors with a high level of confidence. On the other hand, this report will show the analysis of each of the elements of the campaign, which, based on the telemetry of SCILabs, its modus operandi supplants the name of Mexican and Chilean tax institutions such as: Secretaría de Administración Tributaria (SAT) and Servicio de Impuestos Internos (SII), to be used as a pretext in phishing emails.


After analyzing the campaign and the artifacts, SCILabs determined with high confidence that the attacker’s general objective is to install the banking Trojan on common users’ machines, to steal user information in LATAM, particularly Chile and Mexico.


Additionally, with the intelligence of SCILabs and the information obtained from public and private sources, it is possible to determine that the campaign has the potential to begin to spread in other countries of LATAM, expanding the banking institutions it is targeting due to its versatility and the rapid evolution of its TTPs.

How could it affect an organization?


The campaign has the potential to financially affect an organization because Mekotio’s main objective is to steal bank information from users. In addition, during the analysis of the trojan, some capabilities were found to drop other types of malicious artifacts on demand, so, it could be combined with other types of malwares such as ransomware. This could make the organization’s information assets subject to unauthorized viewing, hijacking, and data leakage. Considering that the trojan has evolved its TTPs compared to previous campaigns to make it difficult to detect and analyze, it is important to be aware of these types of threats.




Threat Context


During the threat hunting process, three artifacts were identified that share similar behavior. SCILabs analyzed and investigated each of the items to determine if they were part of the same campaign. Based on the research carried out by SCILabs we consider with a high level of confidence, that Mekotio’s distribution campaign in Mexico is by means of phishing email trying to supplant the Secretaría de Administración Tributaria (SAT) and with a medium level of confidence that the campaign directed to Chile is through an apocryphal site of the Servicio de Inpuestos Internos (SII).


Figure 1 – Phishing email impersonating the SAT


Figure 2 – Apocryphal page supplanting the SII


Attack flow


Campaign directed to Mexico


Figure 3 – Attack flow directed to Mexico


Campaign directed to Chile


Figure 4 – Attack flow directed to Chile


Malware analysis


As a result of the analysis of the artifacts carried out, SCILabs determined that the campaigns targeting Mexico and Chile use two different versions of the Mekotio trojan. The main difference between the versions is that the artifact aimed at Chile contains within it the MSI file the three files necessary to run the banking trojan, instead of downloading them as in the version aimed at Mexico, however, they share some capabilities that are listed below:


  • AntiSandbox capabilities
  • Packaged banking trojan DLL
  • Obtaining information from the operating system and architecture
  • Detection of active open windows and the deployment of embedded resources according to the institution from which the malware will steal the information
  • Clipboard hijacking
  • Theft of bank information


The MSI files of the malware were analyzed and in the case of the artifacts directed to Mexico, it was possible to observe the download URL that contains the AutoHotkey executable, its script, and the DLL of the Mekotio trojan. In the case of the artifact directed to Chile, it was found that the malicious devices are within the MSI file.


Figure 5 – Download URL for malicious artifacts


Also, the necessary conditions for the malicious MSI file to be executed were obtained, of which mainly the following were observed:


  • The MSI file cannot be executed on computers that have names such as: JOHN-PC, LISA-PC, SVIARTA, among others
  • The MSI file cannot be run in virtualized or SANDBOX environments
  • The MSI file can be run only if there is an Internet connection


The MSI file cannot run on Windows 9x versions


Figure 6 – Launch conditions in MSI file


It is important to mention that once the MSI file verifies that the conditions to be executed are met, it drops a xy.txt or ko.txt file in the C:\ProgramData directory that serves as a verification flag to continue with the infection.


One of the characteristics to highlight within the custom actions of the MSI file of the campaign directed to Mexico is that it contains obfuscated JavaScript code that fulfills the following functions:


  • Verify that the compiled folder that was downloaded by the MSI file exists in the C:\ProgramData\%RandomName% directory and that it contains the malicious artifacts of the Mekotio trojan
  • Extract and rename the artifacts
  • Delete the downloaded compressed folder
  • Create the btdae file to validate if there is a previous infection on the computer in case the MSI file is executed more than once
  • Create the registry key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\%RandomName% to generate persistence
  • Run the AutoHotKey file to load the Mekotio trojan DLL into memory


All operations are performed through ActiveXObject instances.


Figure 7 – Obfuscated Javascript code inside MSI file custom actions
Figure 8 – Obfuscated Javascript Code Fragment


At the end of the infection process, the victim’s computer is rebooted to run the .ahk script later through the AutoHotKey executable and load the Mekotio trojan DLL into memory. In the case of the campaign directed at Chile, the victim machine is not rebooted, and the trojan is executed immediately after infection.


Once the trojan is loaded into memory, the flag [%month-year%].txt file is generated in the path C:\ProgramData. The trojan waits for the user to open an internet browser to generate a sub-process that will oversee displaying apocryphal windows trying to impersonate banking institutions. Once the user enters a banking page, a nod32.block file is generated, communication with the C2 site begins and artifacts related to apocryphal Windows are dropped in the path C:\ProgramData\%BankingInstitution%.


Figure 9 Artifacts generated during the execution of the banking trojan


Figure 10 Sub process generated by the banking trojan


An important feature found during the analysis carried out by SCILabs is that the trojan can replace the contents of the clipboard. With a medium level of confidence, we consider that when a cryptocurrency wallet is copied, it is replaced by that of a cybercriminal.


Cybercriminal Wallet: 18MvuBqbvrb6E4KseC91YRFjYNBKfcVp5f


It is essential to mention that based on the analysis carried out by SCILabs, with a medium level of confidence, we consider that the Mekotio trojan c2 sites can detect connections through VPN and geolocation to prevent the trojan from being executed in unwanted locations, in addition, the ability to download artifacts on demand was identified. During this analysis a batch file that eliminates the DLL of the Mekotio trojan was downloaded.


Figure 11 Artifact downloaded on demand


Most significant changes in Mekotio campaigns



After the previous campaigns, SCILabs continued to monitor the behavior of the Trojan in the region, and we identified that Mekotio can abuse legitimate software such as VirtualBox Guest Additions Tray Application and Disc Soft Bus Service Pro, from DAEMON Tools, to load itself into memory. In addition, the malware is accompanied by some legitimate DLLs, such as sptdintf.dll, ipworksedi20.dll, ssleay32.dll, or libeay32.dll, as observed in other similar analyzes.


SCILabs identified that the cybercriminals behind Mekotio are capable of constantly evolving their TTPs.


During the monitoring in the region, SCILabs managed to identify the use of compressed “.bat” files to distribute the Trojan.


In addition, a PowerShell script to verify the geolocation of the victim, which must correspond to Brazil, Chile, Mexico, Spain, and Peru, validates if it is running in a virtualized environment and download the artifacts necessary to carry out the infection.


Below, we present the attack flow of the last identified campaign.


Figure 12 Attack flow of the last identified campaign


Based on the evidence found, SCILabs hypothesizes that the cybercriminals behind the threat are Brazilians due to the typical Brazilian jargon used in the source code of their artifacts.


Figure 13 Source code found in Mekotio artifacts


TTPs observed aligned to MITRE’s ATT&CK framework


Below is the MITRE matrix based on the banking trojan campaign:


Initial Access Execution Persistence Defense Evasion Credential Access Discovery Collection C&C Exfiltration
T1566.002 Spear phishing Link T1059.003 Windows Command Shell T1547 Boot or Logon Autostart Execution T1140 Deofuscate/Decode Files or Information T1179 Input Capture T1083 – File and Directory Discovery T1056 Input Capture T1571 Non-Standard Port T1041 Exfiltration Over C2 Channel
  T1059.007 JavaScript   T1036 – Masquerading   T1010 – Application window discovery T1115 Clipboard Data    
  T1204.001 Malicious Link   T1027.005 Indicator Removal from Tools   T1082 System Information Discovery T1005 Data from local system    
  T1204.002 Malicious File   T1027.002 Software Packing   T1614 System Location Discovery      
      T1497 Virtualization/Sandbox Evasion   T1016.001 Internet Connection Discovery      
      T1112 Modify Registry   T1497.001 System Checks      
          T1012 Query Registry      
Table 1 – MITRE’s ATT&CK framework of the Banking trojan





According to SCILabs telemetry, as in other campaigns, it has been observed that many trojans targeting LATAM use common techniques and share some characteristics. They use droppers generally obfuscated in other programming languages; they contain backdoor functionality; they use legitimate tools like AutoHotKey; they use living off the land techniques; rapidly evolve their techniques and dynamically generate malicious artifacts to make their detection and analysis difficult.


A clear example is the case of the Mekotio Trojan, previous campaigns had been observed where Autoit was used to load the malicious DLL in memory, however, in the last campaigns we can observe that the Trojan began to use AutoHotKey as a loading tool, in addition to add sandbox detection techniques in all phases of infection, packaging and encryption of the artifact strings corresponding to Mekotio and detection of VPN connections and Geolocation in order to make their detection and analysis more difficult.


During the analysis of these campaigns carried out by SCILabs, a technique that is commonly used by cybercriminals to eliminate their malicious artifacts in case of being detected was detected, downloading tools for this purpose; this capacity could easily be used to combine its functionality with other types of malware, such as ransomware, which could jeopardize the security of organizations’ information assets, that is why it is important to monitor these types of campaigns.


It is important to mention that based on SCILabs telemetry, banking Trojans that target the region commonly target users of the most representative banks, trying to trick users with apocryphal windows to steal their confidential information. It is common for the initial attack vector of this type of campaign to be phishing emails or sites that impersonate representative organizations of each country. In Mexico, as we saw in the analysis of this campaign, it is common for an attempt to impersonate the SAT, for what is extremely important to constantly carry out awareness campaigns at all levels of the organization so that users know the social engineering techniques that cybercriminals use to deceive.












































































































20[.]106 [.]166 [.]75