Chile and Brazil are among the most important countries where mekotio malware steals cryptocurrencies and bank data

The technical team at cyber security company ESET today released a full report on the banking Trojan Mekotio, which has a high incidence in Latin America.

According to the company, which specializes in computer solutions for device security Mekotio was primarily present in Chile and Brazil, with a lower incidence in countries such as Mexico, Peru, Colombia, Argentina, Ecuador and Bolivia.

For ESET The threat has existed since 2018 solely for the purpose of stealing money from its victims by infecting computer equipment, which started with a strong focus in Brazil and has now expanded to Chile, which reports more than 82 percent of discoveries between the two.

Chile and Brazil are among the most important countries where mekotio malware steals cryptocurrencies and bank data
Chile and Brazil are among the most important countries where mekotio malware steals cryptocurrencies and bank data

Mekotio has evolved in functionality since its first detection, however Variants can still infect computers to steal banking and crypto credentials from compromised computers.

ESET, known as the CY variant of Mekotio, points out in its report that the Trojan under the Win32 / Spy.Mekotio.CY specification is the one that had the greatest number of use cases, mainly in Chile, in which access data is to be stolen the e-banking portals of the 24 banks with the largest presence in the country, followed by Brazil, “for 27 banking institutions”.

His operation uses a combination of social engineering, in which the victim receives an email that simulates an official site with a compressed attachment that is executed when the victim accesses it.

Once the computer is infected, the Trojan can steal the user’s credentials from the computer and redirect them to the remote server with the website name, username and password to access the credit.

As mentioned by ESET, this trojan is aimed specifically at e-banking users from a reduced number of countries. However, its use can be extended to other regions and other uses such as business accounts.

The trojan can be used to steal the access data stored in the system by some web browsers such as Google Chrome and Opera. via the registration form.

Mekotio enables balance theft in Bitcoin wallets

In its report, the company points out that there is a risk of computer threats It has the ability to steal funds from Bitcoin wallets and other cryptocurrencies in general.

According to ESET The Trojan can replace the Bitcoin wallet addresses copied to the clipboard with the attacker’s wallet address.

This way when an infected user wants to transfer or deposit to a specific address and uses the copy command (right-click-copy / Ctrl + C) instead of typing it manually when he wants to paste (right-click-paste / Ctrl + v) The address to which the transfer should be made is not inserted, but the attacker’s address can be read in the report.

It adds that if the user does not recognize this difference and continues, the user will end up sending money to the attacker.


To prevent stolen funds from being discovered and tracked, attackers use different receiving addresses, which are updated with new versions, to make tracking more difficult.

For the company, the examples of stolen BTC funds for around USD 2,500 are not a realistic figure because Mekotio does not take into account the entire duration of the activity and the value could therefore be considerably high.

Safe exercises are the best weapon against mekotio

The company recommends very simple, secure methods to avoid falling victim to this type of attack. In the case of cryptocurrencies in particular, it is important to always check that our destination address for sending funds in a transaction is correct and not to rely on simple “copy and paste”.

In order to avoid infection, it is also important not to open links contained in spam, not to download attachments in this type of email. If you do, do not open it once the download starts automatically.

Of course, it is always important to have an up-to-date security product, keep the computer software up-to-date from where you are, and check the download of executable files from third-party products and unofficial stores.

Similar Posts