{"id":19044,"date":"2020-09-02T10:35:39","date_gmt":"2020-09-02T02:35:39","guid":{"rendered":"https:\/\/version-2.com\/?p=19044"},"modified":"2020-11-04T13:23:11","modified_gmt":"2020-11-04T05:23:11","slug":"eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/","title":{"rendered":"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

BRATISLAVA, PRAGUE<\/strong>\u00a0\u2013\u00a0 ESET researchers yet again look into notorious Latin American banking trojans. This time they\u2019ve explored Mekotio, a banking trojan targeting Spanish- and Portuguese-speaking countries: mainly Brazil, Chile, Mexico, Spain, Peru and Portugal. Mekotio boasts several typical backdoor activities, including taking screenshots, restarting affected machines, restricting access to legitimate banking websites, and, in some variants, even stealing bitcoins and exfiltrating credentials stored by the Google Chrome browser.<\/p>\n

Mekotio has been active since at least 2015 and, as with other banking trojans ESET has investigated, shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows and containing backdoor functionality. To look less suspicious, Mekotio tries to impersonate a security update using a specific message box.<\/p>\n

There are many technical details Mekotio is able to access from its victims, including information about the firewall configuration, administrator privileges, the Windows OS version, and a list of anti-fraud products and antimalware solutions installed. One command even tries to cripple the victim\u2019s machine by attempting to remove all files and folders in the C:\\Windows tree.<\/p>\n

\u201cFor researchers, the most notable feature of the newest variants of this malware family is its use of an SQL database as a C&C server and how it abuses the legitimate AutoIt interpreter as its primary method of execution,\u201d elaborates Robert \u0160uman, the ESET researcher leading the team of investigators focused on Mekotio.<\/p>\n

The malware is predominantly distributed via spam. Since 2018, ESET researchers have observed 38 different distribution chains used by this family. Most of these chains consist of several stages and end up downloading a ZIP archive \u2013 a well-known behavior of Latin American banking trojans.<\/p>\n

\u201cMekotio has followed a rather chaotic development path, with its features being modified very often. Based on its internal versioning, ESET believes there are multiple variants being developed simultaneously,\u201d adds \u0160uman.<\/p>\n

For more technical details about Mekotio, read the blogpost \u201cMekotio: These aren\u2019t the security updates you\u2019re looking for\u2026<\/a>\u201d on WeLiveSecurity. Make sure to follow\u00a0ESET research on Twitter<\/a>\u00a0for the latest news from ESET Research.<\/p>\n

\n\"\"
\nCountries affected by Mekotio<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t
\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

About Version 2 Digital<\/h3>

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n

\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

About ESET<\/strong>
For 30 years, ESET\u00ae has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET\u2019s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24\/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single \u201cin-the-wild\u201d malware without interruption since 2003.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

BRATISLAVA, PRAGUE\u00a0\u2013\u00a0 ESET researchers yet again look i […]<\/p>","protected":false},"author":143524195,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[40,61,99],"tags":[41,98],"class_list":["post-19044","post","type-post","status-publish","format-standard","hentry","category-eset","category-press-release","category-year2020","tag-eset","tag-98"],"acf":[],"yoast_head":"\nESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/version-2.com\/en\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials - Version 2\" \/>\n<meta property=\"og:description\" content=\"BRATISLAVA, PRAGUE\u00a0\u2013\u00a0 ESET researchers yet again look i […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/version-2.com\/en\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2020-09-02T02:35:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-11-04T05:23:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/version-2.com\/wp-content\/uploads\/2020\/08\/csm_mekotio_affected_countries_26e3a09010.png\" \/>\n<meta name=\"author\" content=\"version2hk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"version2hk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2020\\\/09\\\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2020\\\/09\\\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\\\/\"},\"author\":{\"name\":\"version2hk\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\"},\"headline\":\"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials\",\"datePublished\":\"2020-09-02T02:35:39+00:00\",\"dateModified\":\"2020-11-04T05:23:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2020\\\/09\\\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\\\/\"},\"wordCount\":368,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"keywords\":[\"ESET\",\"2020\"],\"articleSection\":[\"ESET\",\"Press Release\",\"2020\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2020\\\/09\\\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\\\/\",\"url\":\"https:\\\/\\\/version-2.com\\\/2020\\\/09\\\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\\\/\",\"name\":\"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"datePublished\":\"2020-09-02T02:35:39+00:00\",\"dateModified\":\"2020-11-04T05:23:11+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2020\\\/09\\\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/version-2.com\\\/2020\\\/09\\\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2020\\\/09\\\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\",\"name\":\"version2hk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"caption\":\"version2hk\"},\"sameAs\":[\"http:\\\/\\\/version2xfortcom.wordpress.com\"],\"url\":\"https:\\\/\\\/version-2.com\\\/en\\\/author\\\/version2hk\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/version-2.com\/en\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/","og_locale":"en_US","og_type":"article","og_title":"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials - Version 2","og_description":"BRATISLAVA, PRAGUE\u00a0\u2013\u00a0 ESET researchers yet again look i […]","og_url":"https:\/\/version-2.com\/en\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/","og_site_name":"Version 2","article_published_time":"2020-09-02T02:35:39+00:00","article_modified_time":"2020-11-04T05:23:11+00:00","og_image":[{"url":"https:\/\/version-2.com\/wp-content\/uploads\/2020\/08\/csm_mekotio_affected_countries_26e3a09010.png","type":"","width":"","height":""}],"author":"version2hk","twitter_card":"summary_large_image","twitter_misc":{"Written by":"version2hk","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/version-2.com\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/#article","isPartOf":{"@id":"https:\/\/version-2.com\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/"},"author":{"name":"version2hk","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db"},"headline":"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials","datePublished":"2020-09-02T02:35:39+00:00","dateModified":"2020-11-04T05:23:11+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/"},"wordCount":368,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"keywords":["ESET","2020"],"articleSection":["ESET","Press Release","2020"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/","url":"https:\/\/version-2.com\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/","name":"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"datePublished":"2020-09-02T02:35:39+00:00","dateModified":"2020-11-04T05:23:11+00:00","breadcrumb":{"@id":"https:\/\/version-2.com\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/version-2.com\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/version-2.com\/2020\/09\/eset-research-mekotio-banking-trojan-fakes-security-update-steals-bitcoins-and-exfiltrates-google-credentials\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/"},{"@type":"ListItem","position":2,"name":"ESET Research: Mekotio banking trojan fakes security update, steals bitcoins and exfiltrates Google credentials"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db","name":"version2hk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","caption":"version2hk"},"sameAs":["http:\/\/version2xfortcom.wordpress.com"],"url":"https:\/\/version-2.com\/en\/author\/version2hk\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-4Xa","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/19044","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/users\/143524195"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/comments?post=19044"}],"version-history":[{"count":5,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/19044\/revisions"}],"predecessor-version":[{"id":19989,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/19044\/revisions\/19989"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/media?parent=19044"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/categories?post=19044"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/tags?post=19044"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}