In July, Spanish police arrested 16 people suspected of money laundering in connection with the malware. Now it is attacking Spanish-speaking countries. The author of the new version seems to be a Brazilian gang of criminals. Check Point has already blocked over 100 attacks.
The security researchers at Check Point Research (CPR) report that the attack begins with a spoofing email under a false brand name, which runs under the subject: “digital tax receipt pending submission” – in other words: digital payment request needs approval. The security researchers suspect a group of Brazilian – actually Portuguese-speaking – criminals behind the new campaign and believe that they are also renting the malware to other groups – a now common model on the black market. So far, the citizens in Brazil, Chile, Mexico, Peru and Spain have been particularly affected.
Figure: Path of attack of the banking Trojan Mekotio
Mekotio is aimed at Windows computers and remains hidden for the time being after the burglary and evades virus scanners until the user of the computer logs in to his electronic bank account via the Internet. At that moment, the malware steals its access information. The new version has been strengthened in these abilities. The malware is received via a Spanish phishing message, as described above, which contains a link to a contaminated zip archive or has an attachment. If this is downloaded and unpacked, Mekotio secretly starts its work. An interesting trick, which is why the malware is hardly recognized by security solutions: it uses an outdated encryption called substitution cipher to hide its files, which modern virus scanners often no longer recognize. On the other hand, the developers use a new, commercially distributed software called Themida to encrypt the payload of the malicious program very extensively, as well as to integrate anti-debug and anti-monitoring as functions.
The security researchers urge the citizens of the countries to be particularly careful about the e-mails and advise to use two-factor authentication, which makes the theft of the login data to the e-bank account useless on its own.