Security News > 2021 > November > Stealthier version of Mekotio banking trojan spotted in the wild
A new version of a banking trojan known as Mekotio is being deployed in the wild, with malware analysts reporting that it's using a new, stealthier infection flow.
The last notable activity of Mekotio dates back to the summer of 2020 when the trojan's operators deployed it in a campaign targeting Latin American countries.
If the checks confirm the victim is in Latin America and the malware isn't running on a virtual machine, the second ZIP, which contains the Mekotio payload in DLL form, is extracted.
Use of Themida v3 for packing the final DLL payload. CheckPoint reports seeing approximately 100 attacks in the past three months deploying cipher substitution techniques, which albeit simple, help Mekotio go undetected by most AV products.
CheckPoint says the new campaign was launched right after the Spanish Civil Guard arrested 16 people in Mexico, linked with local Mekotio distribution.
The core Mekotio crew appears to be based in Brazil, and it's assumed that they are Mekotio's creators who are now selling it to other cybercriminals.