{Warning} Mekotio: A banking trojan and a bitcoin clipboard stealing malware

[Baofeng]

This is  geo-targeted banking trojan, specially targeting countries, Brazil, Chile, Mexico, Spain, Peru and Portugal. It will display a fake pop up security updates:



Then will install the trojans keylogger in your system, you can see below the flow of the attack and infection.



And it's typicial behavior:

• take screenshots
• manipulate windows
• simulate mouse and keyboard actions
• restart the machine
• restrict access to various banking websites and update itself
• steal bitcoins by replacing a bitcoin wallet in the clipboard

bitcoin address of the criminals

Code:

1PkVmYNiT6mobnDgq8M6YLXWqFraW2jdAk
159cFxcSSpup2D4NSZiuBXgsGfgxWCHppv
1H35EiMsXDeDJif2fTC98i81n4JBVFfru6

https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/


So again, we need to be very careful updating not just our banking software, but any softwares regardless if it is a desktop or mobile apps. Check everything before you click.

[1714583846]

1714583846

[1714583846]

1714583846

[1714583846]

1714583846

[1714583846]

1714583846

[Eureka_07]

I always do not prefer updating any software if it is not needed. The up message kinda looks old, is there any button there except for that OK button for us to not trigger the malware?
Thanks for sharing it, I'll be much careful on updating any softwares.

Wondering if there are any antivirus or malware detector services that can get rid of this.

[cryptomaniac_xxx]

So initially this is a banking trojan that evolves into another clipware malware, so dual purpose now.  This banking trojan has existed before, but it seems that those cyber threat actors saw another lucrative and easy target - crypto users. And it's really scary because it can really take over your system and we feel helpless. Again, update our system and be attentive of security updates message. Verify everything first before downloading.

[jademaxsuy]

This is really hard to guess what programs to be installed or not. The program interface were being copied. Is there any distinguishing details if it is the real program needing an update or a malware?

Internet is not safe anymore because of the hackers. They tend to abuse cryptocurrency in their hacking/phishing activities. Here in our place facebook was being targeted and vulnerable to hacking activity. The hackers also use bitcoin to pay them in returning the fb account. This is the trend here in our place but fb does only want to secure account by using the mobile number as account recovery.

The good thing is that more users here are active at this identifying scammers and fraud people wiling to share it here that we can learn. This is the reason why I always visiting this section for this is the appropritate section to learn about cryptocurrency and the new trends of ill people(scammers,hackers&fraudsters).

Do we have a police force.or taskforce reporting this people into a certain thread about conerns like this? I'll be happy to see if there and it will.be organize so that I could easily review the things that hackers and scammers did on their MODUS OPERANDI.

[Jating]

I always do not prefer updating any software if it is not needed. The up message kinda looks old, is there any button there except for that OK button for us to not trigger the malware?
Thanks for sharing it, I'll be much careful on updating any softwares.

Wondering if there are any antivirus or malware detector services that can get rid of this.

Obviously, it was ESET who discovered this trojan/malware so definitely they have an idea on how to catch this. You can also read https://www.pcrisk.com/removal-guides/18076-mekotio-trojan on how to remove it manually.

Maybe the message looks old, but it is very effective especially you don't have any options but to click OK to proceed and then you get infected.

[Lucius]

For a Trojan that has been around since 2015 and is spreading mostly via spam messages we should already be pretty safe if we have adopted at least 2 rules to follow when using the internet. The first is to protect your device with a quality antivirus that most likely has an antivirus definition of this trojan in its database, and the second is not to open links from e-mails.

And I guess it has been written a million times on the forum that it is mandatory to check our coin addresses if you need character by character before sending/receiving a transaction. The creators of malware only succeed because internet users are not educated enough to recognize the threat, and this is actually very easy if you just pause for a moment and think about what you want to do next.