Detection Content: Mekotio Banking Trojan

Mekotio is one more Latin American banking trojan that is targeted at users mainly in Brazil, Mexico, Spain, Chile, Peru, and Portugal. This is persistent malware that is distributed via phishing emails and ensures persistence either by creating an LNK file in the startup folder or using a Run key. It is capable of stealing cryptocurrency from a targeted user, taking screenshots, rebooting infected systems, restricting access to legitimate banking websites, and stealing credentials from Google Chrome. Also, the banking trojan can access the user’s system settings, information about the Windows OS, firewall configuration, the list of installed antivirus solutions. 

Mekotio banking trojan can act as a simple wiper by deleting system files and folders. The most notable feature of the newest variants of this malware family is using a SQL database as a C&C server. The C&C servers used by Mekotio are either based on the open-source Delphi Remote Access PC project or use an SQL database storing C&C commands. Mekotio calls specific SQL procedures stored on the server-side using the credentials hardcoded in the binary. 

Osman Demir released new community Sigma rule to detect the installation of the trojan and its persistence mechanisms

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: Carbon Black, Microsoft Defender ATP, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Initial Access, Persistence

Techniques: Registry Run Keys / Startup Folder  (T1060), Spearphishing Link (T1192)

Explore more Rules at Threat Detection Marketplace published by Osman Demir


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.