A Banking Trojan That Steals Crypto Is Targeting Latin American Users

Published at: July 17, 2020

Cybersecurity experts are warning about a family of banking trojans that target Windows users across Latin America, but this trojan happens to focus on stealing cryptocurrencies.

According to a report published by cybersecurity firm ESET, the malware is known as “Mekotio” and has been active since approximately March 2018. Since then, threat actors have been continuously upgrading the capabilities and range of attack, mostly known by targeting over 51 banks.

But now the trojan is focusing on Bitcoin (BTC), instead of just stealing banking details. This implies that Mekotio is targeting individual users.

Spain is also on Mekotio’s radar

The malicious campaigns were delivered through phishing emails by the hackers, and are directed mostly toward Chile and other countries in that region. Still, there have been some cases in Spain reported.

The research specifies that a link is included inside the email body, where users click on it and download a .zip file. Once the user unzips the file, a .msi installer appears. If the user installs it, Mekotio’s attack is successful.

Daniel Kundro, a cybersecurity expert at ESET, explained that Mekotio replaces the BTC wallet addresses copied in the clipboard. If the victim wants to make a crypto transfer by copying and pasting a wallet address instead of writing it manually, the exploit replaces the victim’s wallet address with the criminal’s.

Multiple cybercriminals’ BTC wallet addresses involved in the attack

Kundro warns that cybercriminals behind Mekotio don’t use a single wallet address to receive their stolen BTC. They often use several BTC wallets to avoid easy transaction tracing.

But the trojan isn’t limited to just stealing crypto and banking details — it also deploys an attack to steal passwords stored in web browsers.

According to a recent study by Group-IB, a ransomware known as ProLock relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paid out in BTC to decrypt the files.

Cryptocurrencies forensics experts from Xrplorer also warned on June 15 of an elaborate phishing scam where hackers try to steal the secret keys of XRP users, under the false premise that Ripple is giving away tokens.

Tags
Related Posts
Major Chilean bank shuts down all branches following ransomware attack
Banco Estado, the only public bank in Chile and one of the three largest in the country, had to shut down its nationwide operations on Monday due to a cyberattack that turned out to be a ransomware launched by REvil. According to a public statement, the branches will remain closed for at least one day, but clarified that customers’ funds have not been affected by the incident. Citing sources close to the investigation, ZDNet reported that the REvil ransomware gang is behind the attack. It reportedly originated from an Office document infected with the malware that an employee received and …
Technology / Sept. 8, 2020
Bitcoin Ransomware and Remote Working: What the Future Holds
The new work-from-home culture is gaining more traction than ever before as businesses, government departments and schools try to remain afloat while flattening the pandemic curve. This migration to remote working is a double-edged sword that creates a fertile land for cybercriminals to thrive on. There is no way that cyberattacks can be eliminated completely. The best that companies can do is minimize the frequency of the threats. What is ransomware? Cybercriminals use malicious software code to block people or organizations from accessing their computer systems until a ransom has been paid. Cryptocurrencies such as Bitcoin (BTC) have made it …
Technology / Aug. 21, 2020
New Ransomware Uses a Banking Trojan To Attack Governments and Companies
A new type of ransomware attack emerged in recent months, raising red flags among the cybersecurity community and authorities such as the FBI in the United States. Cybersecurity firm Group-IB has warned that it comes in the form of a Trojan, according to a report published on May 17. According to Group-IB’s study, the ransomware is known as ProLock and relies on the Qakbot banking trojan to launch the attack and asks the targets for six-figure USD ransoms paid out in BTC to decrypt the files. The roster of victims includes local governments, financial, healthcare and retail organizations. Among them, …
Bitcoin / May 19, 2020
Consumer-Targeted Cryptojacking Is ‘Essentially Extinct’: Research
Illicit crypto mining — or cryptojacking — against consumers “is essentially extinct,” declares a report released by cybersecurity company MalwareBytes on April 23. Per the report, after in-browser mining service CoinHive shut down in early March — when the team claimed that the project had become economically inviable — cryptojacking against consumers has sharply decreased. At the same time, the number of such attacks targeting businesses increased from the last quarter. Furthermore, MalwareBytes also notes that bitcoin (BTC) holders who use Electrum wallets on a Mac have lost over $2.3 million in stolen coins to a Trojanized version of the …
Bitcoin / April 27, 2019
Legit vs. Illicit Crypto: North and South Korean Approaches Compared
South and North Korea may be separated by a border that's only 2.5 miles wide, but the two nations couldn't possibly be more different, at least when it comes to crypto. South Korea has emerged over the past few years as one of the world's major crypto-trading centers, with the BTC-KRW (Korean won) market being the fourth biggest among national fiat currencies. By contrast, most North Koreans have almost zero knowledge of cryptocurrencies, even though their government has been engaging in Bitcoin mining and the hacking of crypto exchanges in a bid to secure an alternative revenue stream. As the …
Adoption / Sept. 27, 2018