16 Cybercriminals Behind Mekotio and Grandoreiro Banking Trojan Arrested in Spain

Spanish law enforcement agencies on Wednesday arrested 16 individuals belonging to a criminal network in connection with operating two banking trojans as part of a social engineering campaign targeting financial institutions in Europe.

The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) following a year-long investigation codenamed “Aguas Vivas”, the Civil Guard said in a statement.

“Through malicious software, installed on the victim’s computer by the technique known as ’email spoofing’, [the group] would have managed to divert large amounts of money to their accounts,” authorities noted.

Computer equipment, mobile phones, and documents were confiscated, and more than 1,800 spam emails were analyzed, enabling law enforcement to block transfer attempts totaling €3.5 million successfully. The campaign is said to have netted the actors €276,470, of which €87,000 has been successfully recovered.

As part of an effort to lend credibility to their phishing attacks, the operators worked by sending emails under the guise of legitimate package delivery services and government entities such as the Treasury, urging the recipients to click on a link that stealthily downloaded malicious software onto the systems.

The malware — dubbed “Mekotio” and “Grandoreiro” — functioned by intercepting transactions on a banking website to unauthorizedly siphon funds to accounts under the attackers’ control. At least 68 email accounts belonging to official bodies were infected to facilitate such fraudulent transfers.

“After that, the money was diversified by sending it to other accounts, or by withdrawing cash at ATMs, transfers by BIZUM, REVOLUT cards, etc., in order to hinder the possible police investigation,” the Civil Guard said.

Grandoreiro and Mekotio (aka Melcoz) are both part of a “Tetrade” of Brazilian banking trojans as detailed by cybersecurity firm Kaspersky in July 2020, while the latter’s evolving tactics were disclosed by ESET in August 2020, which involved displaying fake pop-up windows to its victims in an attempt to entice them into divulging sensitive information.

“These windows are carefully designed to target Latin American banks and other financial institutions,” the Slovak cybersecurity company had noted.

Operational since at least 2016, Grandoreiro has a history of singling out Brazil, Mexico, Spain, Portugal, and Turkey, “with the attackers regularly improving techniques, striving to stay undetected and active for longer periods of time.” Mekotio, on the other hand, has been observed in attacks targeting Brazil and dating back to 2018, before expanding to Chile, Mexico, and Spain.

“[Mekotio] steals passwords from browsers and from the device’s memory, providing remote access to capture internet banking access,” Kaspersky researchers explained in a report published Wednesday. “It also includes a Bitcoin wallet stealing module.”

To avoid falling prey to such attacks, the agency is recommending that email and SMS recipients scrutinize messages carefully, particularly if it is about entities with urgent requests, promotions, or very attractive bargains, while also taking steps to be on the lookout for grammatical errors and ensure the authenticity of the sender of the message.