Mekotio is one more Latin American banking trojan that is targeted at users mainly in Brazil, Mexico, Spain, Chile, Peru, and Portugal. This is persistent malware that is distributed via phishing emails and ensures persistence either by creating an LNK file in the startup folder or using a Run key. It is capable of stealing cryptocurrency from a targeted user, taking screenshots, rebooting infected systems, restricting access to legitimate banking websites, and stealing credentials from Google Chrome. Also, the banking trojan can access the user’s system settings, information about the Windows OS, firewall configuration, the list of installed antivirus solutions. 

Mekotio banking trojan can act as a simple wiper by deleting system files and folders. The most notable feature of the newest variants of this malware family is using a SQL database as a C&C server. The C&C servers used by Mekotio are either based on the open-source Delphi Remote Access PC project or use an SQL database storing C&C commands. Mekotio calls specific SQL procedures stored on the server-side using the credentials hardcoded in the binary. 

Osman Demir released new community Sigma rule to detect the installation of the trojan and its persistence mechanisms


The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Microsoft Defender ATP, Elastic Endpoint



Tactics: Initial Access, Persistence

Techniques: Registry Run Keys / Startup Folder  (T1060), Spearphishing Link (T1192)


Explore more Rules at Threat Detection Marketplace published by Osman Demir

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts