Malware Hunter JAMESWT Technical Analysis

Mekotio returns to Italy with an email on a fake tax receipt. The link in the text downloads a zip with an msi file inside. This contacts a url and downloads another with a vbs and the self-installing dll, the malware

The email on a false tax receipt from the tax administration of the “Italian Government” conveys the new Mekotio campaign in Italy.

The link in the text downloads a zip document with an msi file inside. This contacts a url and downloads another zip, which contains a vbs and the self-installing dll, which starts the malware infection.

Mekotio is a spy banker who, since its inception in 2015, had been used by cybercrime to almost exclusively hit targets in Latin America or in any case in Spanish. Recently, however, it also made its appearance in Italy with several campaigns, including the Ministry of Economy and Finance (MEF) and Transport (MIT).

Malware Samples