Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs
April 28, 2023Rewterz Threat Alert – APT-C-35 aka Donot Team – Active IOCs
April 28, 2023Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs
April 28, 2023Rewterz Threat Alert – APT-C-35 aka Donot Team – Active IOCs
April 28, 2023Severity
High
Analysis Summary
Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected software installers. Once installed on a victim’s device, Mekotio can perform a variety of malicious actions, such as stealing login credentials for online banking accounts, keylogging, and taking screenshots. The malware is also capable of evading detection by antivirus software and can also use a variety of methods to maintain persistence on an infected system.
Mekotio is also known for its modular structure, which allows attackers to add new functionality to the malware as needed. The malware is typically sold on underground forums and is offered as a service, with the attackers charging a fee for the use of the malware and providing technical support to customers.
Additionally, Mekotio is a polymorphic malware, meaning that it can change its code structure each time it is executed, making it harder to detect by antivirus software. To protect against Mekotio and other banking trojans, it is important to use strong, unique passwords for all online accounts, avoid clicking on links in unsolicited emails, and keep all software up to date.
Impact
- Information Theft
- Financial Loss
- Exposure to Sensitive Information
Indicators of Compromise
MD5
- 2ce0c27147c20019f5133a1ccb1fae44
- 9f0f32dda0a63ad985226cba751af5f1
- 6ebdf4f0587d266a618d2e83fe2e7cdb
- 51bef2df069930c6566c6babb940db9b
SHA-256
- d55efd7cfe9f2d5e748eb40301004c8d913446bf66e27576f1ab9f2a1eb57509
- 5013cf8a7cf2e0e230f8c7149d2c9eb99c681cda6d754f58e2409d6f3db98c56
- 2bb49909ef6d4200d177dbaaa400ab01b185201c8e21b418c5bef53ce09e6cd5
- ce8ca1d49f64eb96ce9d59551a36b2957df11ccceae66e23caf052815f3604fd
SHA-256
- 772ebbf8004b9b1234831e85b9f19d21cec987287b35738bd69f153d0484f83d
- bdefd2a110fad373c20aeace90b1e091ddbcbfeff32ddda986b0007bd7e461af
- d675cc45f69f0a36944dcdb231e62fb8c3c5bd13919d09c14d23e8c18a8ba7db
- e6a418950ce14e5a53be16dfef0452415a1e4017438429a76ce54eddfef06c75
SHA-1
- 25e68e2443d445e7c1eb65f34b7e9dfb81536213
- 730f0a2cebeac3aa3cb3e7a1414e0149f8f18b88
- dc2afbca51b7910bf8f71ecb267291711b6b1d05
- 679d10f42d0778a7b15e83a9b59ac4c1e7d76b26
Remediation
- Block all threat indicators at your respective controls. Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Make sure all of your software, including your operating system and applications, are up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by Aurora Stealer and other types of malware.