{
	"id": "b9338b92-28a5-4b77-9145-569aa47d4b7d",
	"created_at": "2026-04-06T00:15:35.034847Z",
	"updated_at": "2026-04-10T03:21:52.013725Z",
	"deleted_at": null,
	"sha1_hash": "dcc6a4a3f694de330815c4972b5ab8044ec7d7d9",
	"title": "Mekotio: These aren’t the security updates you’re looking for…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 553573,
	"plain_text": "Mekotio: These aren’t the security updates you’re looking for…\r\nBy ESET Research\r\nArchived: 2026-04-02 12:12:59 UTC\r\nIn this installment of our series, we introduce Mekotio, a Latin American banking trojan targeting mainly Brazil,\r\nChile, Mexico, Spain, Peru and Portugal. The most notable feature of the newest variants of this malware family is\r\nusing a SQL database as a C\u0026C server.\r\nFigure 1. Countries affected by Mekotio\r\nAs with many other Latin American banking trojans we have described earlier in this series, Mekotio has followed\r\na rather chaotic development path, with its features being modified very often. Based on its internal versioning,\r\nwe believe there are multiple variants being developed simultaneously. However, similar to Casbaneiro, these\r\nvariants are practically impossible to separate from each other, so we will refer to them all as Mekotio.\r\nCharacteristics\r\nMekotio is a typical Latin American banking trojan that has been active since at least 2015. As such, it attacks by\r\ndisplaying fake pop-up windows to its victims, trying to entice them to divulge sensitive information. These\r\nwindows are carefully designed to target Latin American banks and other financial institutions.\r\nMekotio collects the following information about its victims:\r\nFirewall configuration\r\nWhether the victim has administrative privileges\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 1 of 11\n\nVersion of the installed Windows operating system\r\nWhether anti-fraud protection products (GAS Tecnologia Warsaw and IBM Trusteer[1]) are installed\r\nList of installed antimalware solutions\r\nMekotio ensures persistence either by using a Run key or creating an LNK file in the startup folder.\r\nAs is common for most Latin American banking trojans, Mekotio has several typical backdoor capabilities. It can\r\ntake screenshots, manipulate windows, simulate mouse and keyboard actions, restart the machine, restrict access\r\nto various banking websites and update itself. Some variants are also able to steal bitcoins by replacing a bitcoin\r\nwallet in the clipboard and to exfiltrate credentials stored by the Google Chrome browser. Interestingly, one\r\ncommand is apparently intended to cripple the victim’s machine by trying to remove all files and folders in\r\nthe C:\\Windows tree.\r\nOne way to identify Mekotio is a specific message box the trojan displays on several occasions (see Figure 2).\r\nFigure 2. Message box used by all Mekotio variants\r\n(translation: “We are currently performing security updates on the site! Please, try again later! New security measures are being\r\nadopted: (1) new security plugin and (2) new visual look of the site. Your system will be restarted to complete the operation.”)\r\nTo ease stealing passwords with its keylogging feature, Mekotio disables the “AutoComplete” option in Internet\r\nExplorer. This feature, when enabled, saves time for Internet Explorer users by remembering inputs on various\r\ntypes of fields that have been filled in previously. Mekotio turns it off by changing the following Windows\r\nRegistry values:\r\nHKCU\\Software\\Microsoft\\windows\\CurrentVersion\\Explorer\\AutoComplete\\\r\nAutoSuggest = “No”\r\nHKCU\\Software\\Microsoft\\Internet Explorer\\Main\\\r\nUse FormSuggest = “No”\r\nFormSuggest Passwords = “No”\r\nFormSuggest PW Ask = “No”\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 2 of 11\n\nFor an in-depth analysis of one specific variant of Mekotio targeting Chile, refer to ESET’s recently published\r\narticle (in Spanish).\r\nDistribution\r\nWe believe the main distribution method for Mekotio is spam (see Figure 3 for an example). Since 2018, we have\r\nobserved 38 different distribution chains used by this family. Most of these chains consist of several stages and\r\nend up downloading a ZIP archive, as is typical for Latin American banking trojans. We dissect the two most\r\ncommonly used chains in the following sections.\r\nFigure 3. Example of a spam email distributing Mekotio\r\n(Translation: “Dear citizen, Your requested receipt: … Download receipt”)\r\nChain 1: Passing context\r\nThe first chain consists of four consecutive stages, as illustrated in Figure 4. A simple BAT dropper drops a\r\nVBScript downloader and executes it using two command line parameters – a custom HTTP verb[2] (“111SA”),\r\nand a URL from which to download the next stage. The downloader downloads the next stage (yet another\r\ndownloader) from the provided URL while using a custom User-Agent value (“MyCustomUser” and its\r\nvariations). The third stage downloads a PowerShell script, correcting the URL from which to download Mekotio\r\ninside the script’s body, before executing it. The PowerShell script then downloads Mekotio from the corrected\r\nURL and installs and executes it (the execution process is described in detail later).\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 3 of 11\n\nFigure 4. One distribution chain used by Mekotio that passes context between stages\r\nThere are two interesting things about this chain. The first one is the usage of custom values for both User-Agent\r\nheader and HTTP verb. These can be used to identify some of Mekotio’s network activity.\r\nThe other interesting aspect is the passing of context (either as command line arguments or by modifying the body\r\nof the next stage). This is a simple, yet effective, form of anti-analysis technique, because if you have Downloader\r\n1 without the matching Dropper, you will have neither the URL nor the custom HTTP verb needed to obtain the\r\nnext stage of the malware. Likewise, having Downloader 3 without Downloader 2 is useless, because the URL is\r\nmissing. This approach makes analysis harder without the knowledge of context.\r\nChain 2: MSI with embedded JavaScript\r\nAs with many other Latin American banking trojans: Mekotio utilizes MSI in some of its latest distribution chains.\r\nIn this case, the chain is much shorter and less robust, as only a single JavaScript, serving as the final stage, is\r\nembedded in the MSI and executed.\r\nCompared to the PowerShell final stage from the previous chain, there are some visible similarities. The main one\r\n(shown in Figure 5) is the installation routine, called after downloading and extracting the ZIP archive, that\r\nrenames the contents of the extracted ZIP archive according to file size. That is closely connected to the execution\r\nmethod described in the next section.\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 4 of 11\n\nFigure 5. Comparison of installation routine in JavaScript and PowerShell scripts used by Mekotio, highlighting\r\nthe similarity in basing the decision on file size\r\nExecution by abusing AutoIt interpreter\r\nMekotio is most commonly executed by abusing the legitimate AutoIt interpreter. In this scenario, the ZIP archive\r\ncontains (besides the Mekotio banking trojan) a legitimate AutoIt interpreter and a small AutoIt loader or injector\r\nscript. The final stage of the distribution chain executes the AutoIt interpreter and passes the loader or injector\r\nscript to it to interpret. That script then executes the banking trojan. Figure 6 illustrates the whole process.\r\nFigure 6. The execution method most commonly used by Mekotio\r\nMekotio is not the only Latin American banking trojan using this method, but it favors it significantly more than\r\nits competitors.\r\nCryptography\r\nThe algorithm used to encrypt strings in Mekotio’s binaries is essentially the same one Casbaneiro uses. However,\r\nmany variants of Mekotio modify how the data are processed before being decrypted. The first few bytes of the\r\nhardcoded decryption key may be ignored, as may some bytes of the encrypted string. Some variants further\r\nencode encrypted strings with base64. The specifics of these methods vary.\r\nC\u0026C server communication\r\nSQL database as C\u0026C server\r\nSome variants of Mekotio base their network protocol on Delphi_Remote_Access_PC, as does Casbaneiro. When\r\nthat is not the case, Mekotio utilizes a SQL database as a sort of C\u0026C server. This technique is not unheard of in\r\nrelation to Latin American banking trojans. Instead of a SELECT command, Mekotio seems to rely on executing\r\nSQL procedures. That way, it is not immediately clear what the underlying database looks like. However, the login\r\nstring is still hardcoded in the binary.\r\nC\u0026C server address generation\r\nWe have observed three different algorithms for how Mekotio obtains the address of its C\u0026C server. We describe\r\nthem below in the chronological order that we encountered them.\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 5 of 11\n\nBased on hardcoded lists of “fake domains”\r\nThe first method relies on two hardcoded lists of domains – one for generating the C\u0026C domain and the other one\r\nfor the port. A random domain is chosen from both lists and resolved. The IP address is further modified. When\r\ngenerating the C\u0026C domain, a hardcoded number is subtracted from the last octet of the resolved IP address.\r\nWhen generating the C\u0026C port, the octets are joined together and treated like a number. For clarity, we have\r\nimplemented both algorithms in Python, as seen in Figure 7. Notice that this approach is surprisingly similar to the\r\none used by Casbaneiro (marked as method 5 in the hyperlinked analysis).\r\ndef generate_domain(base_domains, num):\r\ndomain = to_ip(random.choice(base_domains))\r\noctets = domain.split(\".\")\r\noctets[3] = chr(int(octets[3]) - num)\r\nreturn octets.join(\".\")\r\ndef generate_port(base_domains):\r\ndomain = to_ip(random.choice(base_domains))\r\nreturn int(domain.split(\".\").join(\"\"))\r\nFigure 7. Code for generating C\u0026C domain and port from hardcoded lists of domains\r\nBased on current hour\r\nThe second approach utilizes a Domain Generation Algorithm (DGA) based on current local time (therefore,\r\nvictim’s time zone affects the result). The algorithm takes the current day of the week, day of the month and hour\r\nand uses them to generate a single string. It then calculates the MD5 of that string, represented as a hexadecimal\r\nstring. The result joined with a hardcoded suffix is the C\u0026C server domain (its port is hardcoded in the binary).\r\nFigure 8 shows our Python implementation of this algorithm.\r\nday_names = {\r\n0: \"MON\",\r\n1: \"TUE\",\r\n2: \"WED\",\r\n3: \"THU\",\r\n4: \"FRI\",\r\n5: \"SAT\",\r\n6: \"SUN\",\r\n}\r\nhour_names = {\r\n7: \"AM02\",\r\n8: \"AM03\",\r\n9: \"AM04\",\r\n10: \"AM05\",\r\n11: \"AM06\",\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 6 of 11\n\n12: \"PM01\",\r\n13: \"PM02\",\r\n14: \"PM03\",\r\n15: \"PM04\",\r\n16: \"PM05\",\r\n17: \"PM06\"\r\n}\r\ndef get_hour_name(hour):\r\nif hour \u003c= 6 or hour \u003e= 18:\r\nreturn \"AM01\"\r\nelse\r\nreturn hour_names[hour]\r\ndef generate_domain(suffix):\r\ntime = get_current_time()\r\ndga_data = \"%s%02d%s\" % (day_names[time.dayOfWeek], time.day, hour_names[time.hour])\r\ndga_data = hexlify(md5(dga_data))\r\nreturn dga_data.lower() + suffix\r\nFigure 8. Code for generating C\u0026C domain based on current hour\r\nBased on current day\r\nThe third algorithm is somewhat similar to the second one. It differs in the format of the string created from local\r\ntime and the fact that it uses a different suffix each day. Additionally, it generates the C\u0026C port in a similar\r\nmanner. Once again, the Python re-implementation of the code is illustrated in Figure 9.\r\ndef generate_domain(domains_list, subdomain):\r\ntime = get_current_time()\r\ndga_data = \"%02d%02d%s\" % (time.day, time.month, subdomain)\r\ndga_data = hexlify(md5(dga_data))\r\nreturn dga_data[:20] + \".\" + domains_list[time.day - 1]\r\ndef generate_port(portstring):\r\ntime = get_current_time()\r\nreturn int(\"%d%02d%d\" % (time.day, time.dayOfWeek, time.month))\r\nFigure 9. Code for generating C\u0026C domain and port based on current day\r\nMultiple concurrent variants?\r\nWe already mentioned that, similar to other Latin American banking trojans, Mekotio follows a rather chaotic\r\ndevelopment cycle. However, besides that, there are indicators that there are multiple variants of Mekotio being\r\ndeveloped simultaneously.\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 7 of 11\n\nThe two main indicators are internal versioning and the format of the string used for exfiltrating information about\r\nthe victim’s machine collected by Mekotio. We have identified four different versioning schemes:\r\nNumbering (001, 002, 072, 39A, …)\r\nVersion by date (01-07, 15-06, 17-10, 20-09, …)\r\nVersion by full date (02_03_20, 13_03_20, 26_05_20, …)\r\nNumbering and date combined (103--30-09, 279--07-05, 293--25-05, …)\r\nEach of these schemes is associated with a specific format of the exfiltrated data string. Since we see multiple of\r\nthese schemes simultaneously, we believe that there may be multiple threat actors using different variants of\r\nMekotio.\r\nConclusion\r\nIn this blog post, we have analyzed Mekotio, a Latin American banking trojan active since at least 2015. As in the\r\nother banking trojans described in this series, Mekotio shares common characteristics for this type of malware,\r\nsuch as being written in Delphi, using fake pop-up windows, containing backdoor functionality and targeting\r\nSpanish- and Portuguese-speaking countries.\r\nWe have focused on the most interesting features of this banking trojan, such as its primary method of execution\r\nby abusing the legitimate AutoIt interpreter, using SQL database as a C\u0026C server or the different methods\r\nMekotio uses to generate the address of its C\u0026C server.\r\nWe have also mentioned several features that are surprisingly similar to Casbaneiro.\r\nFor any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can also be found in our GitHub\r\nrepository.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nMekotio samples\r\nSHA-1 Description ESET detection name\r\nAEA1FD2062CD6E1C0430CA36967D359F922A2EC3\r\nMekotio banking\r\ntrojan (SQL variant)\r\nWin32/Spy.Mekotio.CQ\r\n8CBD4BE36646E98C9D8C18DA954942620E515F32\r\nMekotio banking\r\ntrojan\r\nWin32/Spy.Mekotio.O\r\n297C2EDE67AE6F4C27858DCB0E84C495A57A7677\r\nMekotio banking\r\ntrojan\r\nWin32/Spy.Mekotio.DD\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 8 of 11\n\nSHA-1 Description ESET detection name\r\n511C7CFC2B942ED9FD7F99E309A81CEBD1228B50\r\nMekotio banking\r\ntrojan\r\nWin32/Spy.Mekotio.T\r\n47C3C058B651A04CA7C0FF54F883A05E2A3D0B90\r\nMekotio banking\r\ntrojan\r\nWin32/Spy.Mekotio.CD\r\nLegitimate AutoIt interpreter being abused\r\nSHA-1 Description\r\nESET detection\r\nname\r\nACC07666F4C1D4461D3E1C263CF6A194A8DD1544\r\nAutoIt v3 Script\r\ninterpreter\r\nclean\r\nNetwork communication\r\nUser-Agent: “MyCustomUser”, “4M5yC6u4stom5U8se3r” (and other variations)\r\nHTTP verb: “111SA”\r\nBitcoin wallets\r\n1PkVmYNiT6mobnDgq8M6YLXWqFraW2jdAk\r\n159cFxcSSpup2D4NSZiuBXgsGfgxWCHppv\r\n1H35EiMsXDeDJif2fTC98i81n4JBVFfru6\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 7 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access T1566.002\r\nPhishing: Spearphishing\r\nLink\r\nMekotio distribution chains start with a\r\nmalicious link in an email.\r\nExecution\r\nT1059\r\nCommand and Scripting\r\nInterpreter\r\nMekotio is most commonly executed by\r\nabusing the legitimate AutoIt interpreter.\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nMekotio uses PowerShell to execute its\r\ndistribution chain stages.\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nMekotio uses VBScript to execute its\r\ndistribution chain stages.\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 9 of 11\n\nTactic ID Name Description\r\nPersistence T1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nMekotio ensures persistence by using a Run\r\nkey or creating a LNK file in the startup\r\nfolder.\r\nDefense\r\nEvasion\r\nT1218\r\nSigned Binary Proxy\r\nExecution\r\nMekotio is executed by running a legitimate\r\nAutoIt interpreter and passing a loader script\r\nfor it to interpret.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from\r\nWeb Browsers\r\nMekotio steals credentials from the Google\r\nChrome browser.\r\nDiscovery\r\nT1010\r\nApplication Window\r\nDiscovery\r\nMekotio discovers various security tools and\r\nbanking applications based on window names.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nMekotio discovers banking protection\r\nsoftware based on file system paths.\r\nT1518.001\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\nMekotio detects the presence of banking\r\nprotection products.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nMekotio collects information about the\r\nvictim's machine, such as firewall status and\r\nWindows version.\r\nCollection T1056.001 Input Capture: Keylogging Mekotio is capable of capturing keystrokes.\r\nCommand\r\nand Control\r\nT1568.002\r\nDynamic Resolution:\r\nDomain Generation\r\nAlgorithms\r\nMekotio generates its C\u0026C domain using a\r\nDGA.\r\nT1568.003\r\nDynamic Resolution: DNS\r\nCalculation\r\nMekotio uses an algorithm to modify the\r\nresolved IP address to obtain the actual C\u0026C\r\naddress.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nMekotio’s network protocol in variants not\r\nusing SQL is based on\r\nRemote_Delphi_Access_PC.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nMekotio sends the data it retrieves to its C\u0026C\r\nserver.\r\n[1] Anti-fraud solutions used very frequently in Latin America.\r\n[2] Common HTTP verbs are GET and POST.\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 10 of 11\n\nSource: https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nhttps://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/"
	],
	"report_names": [
		"mekotio-these-arent-the-security-updates-youre-looking-for"
	],
	"threat_actors": [],
	"ts_created_at": 1775434535,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dcc6a4a3f694de330815c4972b5ab8044ec7d7d9.pdf",
		"text": "https://archive.orkl.eu/dcc6a4a3f694de330815c4972b5ab8044ec7d7d9.txt",
		"img": "https://archive.orkl.eu/dcc6a4a3f694de330815c4972b5ab8044ec7d7d9.jpg"
	}
}