A banking trojan that steals crypto-currencies is targeting Latin American users

Cyber security experts warn of a family of banking Trojans that are targeting Windows users in Latin America, but this Trojan focuses on stealing crypto-currencies.

According to a report published by the cyber security company ESET, the malware is known as „Mekotio“ and has been active since approximately March 2018. Since then, the creators of the threat have been continuously improving the capabilities and scope of the attack, mainly known for attacking more than 51 banks.

But now the Trojan is focusing on Bitcoin Method, rather than just stealing bank details. This implies that Mekotio is targeting individual users.

New ransomware uses a banking trojan to attack governments and companies

Spain is also on the Mekotio radar
The malicious campaigns were delivered through phishing emails by hackers, and are mainly directed at Chile and other countries in that region. However, some cases have been reported in Spain.

The research specifies that a link is included within the body of the email, where users click on it and download a .zip file. Once the user decompresses the file, an .msi installer appears. If the user installs it, the Mekotio attack is successful.

Phishing sites use misleading letters in domain names to steal XRP

Daniel Kundro, an ESET cybersecurity expert, explained that Mekotio replaces the BTC wallet addresses copied on the clipboard. If the victim wants to make a crypto transfer by copying and pasting a wallet address instead of typing it in manually, the exploit replaces the victim’s wallet address with the criminal’s.

BTC wallet addresses of several cybercriminals are involved in the attack
Kundro warns that the cybercriminals behind Mekotio do not use a single wallet address to receive their stolen BTC. They often use multiple BTC wallets to avoid easy tracking of transactions.

Who owns the domain “CryptoForHealth“ after the Twitter hacks?

But the Trojan not only steals crypto currencies and bank details, it also implements an attack to steal passwords stored in web browsers.

According to a recent study by Group-IB, a ransomware known as ProLock relies on the Qakbot banking Trojan to launch the attack and asks victims for six-figure dollar ransoms paid at BTC to decrypt the files.

Xrplorer’s forensic crypto experts also warned on June 15 about an elaborate phishing scam where hackers try to steal the secret keys of XRP users, under the false premise that Ripple is giving away tokens.