Security News > 2021 > July > 16 Cybercriminals Behind Mekotio and Grandoreiro Banking Trojan Arrested in Spain
Spanish law enforcement agencies on Wednesday arrested 16 individuals belonging to a criminal network in connection with operating two banking trojans as part of a social engineering campaign targeting financial institutions in Europe.
As part of an effort to lend credibility to their phishing attacks, the operators worked by sending emails under the guise of legitimate package delivery services and government entities such as the Treasury, urging the recipients to click on a link that stealthily downloaded malicious software onto the systems.
The malware - dubbed "Mekotio" and "Grandoreiro" - functioned by intercepting transactions on a banking website to unauthorizedly siphon funds to accounts under the attackers' control.
Grandoreiro and Mekotio are both part of a "Tetrade" of Brazilian banking trojans as detailed by cybersecurity firm Kaspersky in July 2020, while the latter's evolving tactics were disclosed by ESET in August 2020, which involved displaying fake pop-up windows to its victims in an attempt to entice them into divulging sensitive information.
Operational since at least 2016, Grandoreiro has a history of singling out Brazil, Mexico, Spain, Portugal, and Turkey, "With the attackers regularly improving techniques, striving to stay undetected and active for longer periods of time." Mekotio, on the other hand, has been observed in attacks targeting Brazil and dating back to 2018, before expanding to Chile, Mexico, and Spain.
"[Mekotio] steals passwords from browsers and from the device's memory, providing remote access to capture internet banking access," Kaspersky researchers explained in a report published Wednesday.