Back in June, police in Spain arrested 16 people accused of being part of a gang laundering stolen money with the Mekotio and Grandoreiro banking trojans. The suspects in that arrest had already swiped more than $320,000, authorities said, but were on the verge of taking about $4 million before their arrests.
But that arrest wasn’t the end for the malware. In the last three months, Mekotio malware has been used to actively target victims again, a report published Wednesday by Check Point Research suggests, with more than 100 attacks detected that show new stealth and evasion techniques in Brazil, Chile, Mexico, Spain and Peru.
“Although the Spanish Civil Guard announced the arrest of 16 people involved with Mekotio distribution in July 2021, it appears the gang behind the malware is still active,” said Kobi Eisenkraft, the malware research and protection team leader at Check Point.
The research, written by Check Point’s Arie Olshtein and Abedalla Hadra, suggests new infection methods and obfuscation techniques such as a substitution cipher — one of the oldest encryption methods — which allows the malware to go undetected by most antivirus software. The latest iteration delivered the malware via unsolicited zip files in spoofed emails from legitimate organizations titled “digital tax receipt pending submission.”
The arrests may have garnered international attention, but the developers behind Mekotio “were able to narrow the gap quickly and change tactics to avoid detection,” the researchers wrote. It’s a demonstration of how even when law enforcement zeroes in on hackers, they can still try to adapt to get back in business.
Mekotio is a “typical Latin American banking trojan” dating to at least 2015 and thought to have been developed by Brazilian cyber criminals cybersecurity firm ESET reported last year. At the time, the malware was tailored to target Latin American banks and other financial institutions by sending victims spam emails with zip archives. By 2020 the malware was part of attacks against banks in Europe, especially Spain, which “attracted substantially more attention … than before, whether it was from researchers, companies or police forces,” an ESET spokesperson told The Record in July.
Researchers with Kaspersky grouped Mekotio (also known as “Melcoz”) into a larger group they called Tetrade, as one of four major banking trojans developed in the Brazilian criminal underground with a “strong local flavor.” That research, published last year, noted that the malware had evolved substantially over the years to enable criminal groups in different countries to collaborate.