Mecotio Banking Trojan Using an Alleged Invoice as BATA Returns to Spain

Mecotio Banking Trojan is back in our country with new tactics, techniques and procedures to infect victims’ devices, thus, get access to bank accounts online,

Cybercriminals re-use email templates to defraud users Subject of electronic invoice whose payment is pendingHowever, don’t always use the same chain of transitions.

Users who receive these emails are curious to see what type of invoices they have pending payment, but unfortunately, if they click on the link, they Redirected to download a file created by scammers,

Mail challan pending payment.

Users may be curious about an image and download it without knowing that malware is hiding inside.

ESET notes on its blog that cybercriminals use “space related to the Azure cloud hosting service”. Host the malicious file that is responsible for starting the infection chain, This results in a shorter duration of download links, as services quickly detect this type of threat, although if the link is only active for a few hours, it may be difficult for criminals to achieve their purpose. There’s already more than enough.”

In the downloaded zip file, you can see two other files, including An executable with a catchy name to trick the user to download and run it.

Consider challan pending payment.
Consider challan pending payment.

GTA developer company has informed that the release date remains till 2024.

This executable file contains a version of NSIS (Nullsoft Scriptable Install System) downloader, and also interacts with servers controlled by cybercriminals. download and run payload,

This part is new when it comes to infection chains carried out by the Mecotio Banking Trojan, as fraudsters usually hand this first part of the infection to an MSI file.

payload Contains three files:

  • Interpreter for the AutoHotKey programming language.
  • AutoHotKey script responsible for loading the banking Trojan.
  • Mecotio Banking Trojan.

They may also impersonate the identity of the victim.

executed once scriptconfigure loader ‘AutoHotkey’ in the ‘Run’ string of the Windows Registry and identifies the victim, Basic system information gathering (username, computer name, version of the operating system and antivirus installed) and Sending it to a command and control center set up by cyber criminals,

This type of Trojan is specialized in stealing banking credentials onlineSo that can cause serious economic damage For companies and individuals.

Sign up for our newsletter and receive the latest tech news in your email.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button