A Banking Trojan That Steals Crypto Is Targeting Latin American Users

The “Mekotio” trojan went from conventional banking malware one fine-tuned to steal crypto.

Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies.

According to a report published by cybersecurity firm ESET, the malware is known as “Mekotio” and has been active since approximately March 2018. Since then, threat actors have been continuously upgrading the capabilities and range of attack, mostly known by targeting over 51 banks.

But now the trojan is focusing on Bitcoin (BTC), instead of just stealing banking details. This implies that Mekotio is targeting individual users.

Spain is also on Mekotio’s radar

The malicious campaigns were delivered through phishing emails by the hackers, and are directed mostly toward Chile and other countries in that region. Still, there have been some cases in Spain reported.

The research specifies that a link is included inside the email body, where users click on it and download a .zip file. Once the user unzips the file, a .msi installer appears. If the user installs it, Mekotio’s attack is successful.

Daniel Kundro, a cybersecurity expert at ESET, explained that Mekotio replaces the BTC wallet addresses copied in the clipboard. If the victim wants to make a crypto transfer by copying and pasting a wallet address instead of writing it manually, the exploit replaces the victim’s wallet address with the criminal’s.

Multiple cybercriminals’ BTC wallet addresses involved in the attack

Kundro warns that cybercriminals behind Mekotio don’t use a single wallet address to receive their stolen BTC. They often use several BTC wallets to avoid easy transaction tracing.

But the trojan isn’t limited to just stealing crypto and banking details — it also deploys an attack to steal passwords stored in web browsers.

According to a recent study by Group-IB, a ransomware known as ProLock relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paid out in BTC to decrypt the files.

Cryptocurrencies forensics experts from Xrplorer also warned on June 15 of an elaborate phishing scam where hackers try to steal the secret keys of XRP users, under the false premise that Ripple is giving away tokens.