Chile and Brazil among the main countries where Mekotio malware steals crypto-currencies and bank credentials

The technical team of the cybersecurity company ESET has delivered today a complete report about the banking trojan Mekotio, which has a high incidence in Latin America.

According to the company specialized in computer solutions for the security of devices, Mekotio has been present mainly in Chile and Brazil, with less incidence in countries like Mexico, Peru, Colombia, Argentina, Ecuador and Bolivia.

For ESET, the threat has been present since 2018 with the only purpose of stealing money from its victims through the infection of computer equipment, which began with a strong focus on Brazil and has now spread to Chile, which together report more than 82 percent of detections.

Hackers stole 336 BTCs from the Cashaa crypto currency exchange

Mekotio has been evolving since its first detection in the way it acts, but variants still have the ability to infect computers to steal banking credentials and crypto-currencies on compromised equipment.

Known as the CY variant of Mekotio, ESET points out in its report that the Trojan under the specification Win32/Spy.Mekotio.CY, is the one that has had more use cases mainly in Chile, which aims to steal access credentials to the electronic banking portals of the 24 banks with the largest presence in the country, followed by Brazil, „targeting 27 banking institutions“.

Its operation applies a combination of social engineering in which the victim receives an email simulating an official body with a compressed attachment that is self-executing once the victim accesses it.

Once the computer is infected, the Trojan has the ability to steal the computer user’s credentials and redirect them to a remote server with the website name, username and password in order to access the funds.

38 million US dollars in Bitcoin alone stolen by fraudsters in the last 4 years

As mentioned by ESET, this Trojan is specifically targeted at e-banking users in a small number of countries, but its use can be extended to other regions and other uses such as business accounts.

The Trojan allows the theft of login credentials stored in the system by some web browsers such as Google Chrome and Opera, through the log-in form.

Mekotio allows balance theft in Bitcoin purses
The company points out in its report that the dangerousness of the computer threat has the scope to steal the balance of Bitcoin purses and other crypto-currencies in general.

According to ESET, the Trojan has the ability to replace Bitcoin purse addresses copied to the clipboard with the attacker’s purse address.

NEM: They will provide a free webinar about Symbol

„This way, if an infected user wants to make a transfer or deposit to a certain address and uses the copy command (right-click/ctrl+c) instead of typing it manually, when wanting to paste (right-click/paste/ctrl+v) it will not paste the address to which the transfer was intended, but the address of the attacker“ can be read in the report.

It also adds that if the user does not manage to notice this difference and continues with the operation, he will end up sending money to the attacker.

As a measure to avoid detection and tracking of stolen funds, attackers use different addresses to receive the money, which are updated with new versions to make it more difficult to trace.

For the company, the examples shown in the case of stolen BTC funds of approximately USD 2,500 do not represent a close figure to reality, as it does not contemplate the entire period of Mekotio activity, so the value could be considerably high.