We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanSpy:Win32/Mekotio!MTB
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
Mekotio is a geolocation-specific Trojan that steals banking information—traditional and online. Mekotio was first detected in March 2018 primarily attacking Windows systems in Latin America. In 2020, Mekotio attacks changed focus to Europe after Mekotio perpetrators apparently took an interest in Spanish banks.
Mekotio can steal online banking (cryptocurrency) information by changing the victim’s Wallet address to the attacker’s Wallet address, rebooting the infected system, stealing credentials from Google Chrome, and restricting access to legitimate banking websites.
Recently, Mekotio dynamic link library (DLL) files were found in HTML smuggling campaigns.
Continue reading to learn how Mekotio campaigns evade antivirus application detections by dividing into various files that are protected with techniques that vary according to the sample.
Impact
Keep backups so you can recover data affected by Trojan malware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
For additional tips on how to inform end users of keeping a device safe, use the following advice. Inform users to:
- Avoid opening suspicious/irrelevant emails with links or attachments.
- Make sure software downloads and updates are from verified sources and legitimate developers.
- Keep a backup of important files so that even when malware attacks arise file replacement from backup is possible.
- To protect device and user safety, ensure Microsoft Defender is updated.
- Use Microsoft Defender for regular system scans and removal of detected/potential threat like Mekotio.
To learn more about preventing Trojans, read about preventing malware infection.
