Trojan Uses Ancient Encryption to Avoid Detection
Malware Phishing

Trojan Uses Ancient Encryption to Avoid Detection

Jhonti Todd-Simpson
Jhonti Todd-Simpson

You can also watch this video on LBRY

  • Tojan of raided cybercriminal gang is back and improved
  • The malware uses a simple cipher to avoid detection
  • Analysis by Checkpoint and ESET demystifies the malware


Mekotio is a banking trojan thought to be the work of Brazilian cybercriminals. 16 members of it's Spanish counterparts were arrested in July 2021. Not to be deterred the gang swiftly reengineered their trojan, making it more stealthy.

Mekotio spreads by use of phishing emails, purporting that the victim owes a sum of money - prompting them to download a pdf file to view the invoice. The downloaded zip file contains a malicious batch script which once executed loads Mekotio onto the victim PC.


Cipher obfuscation

Mekotio uses a very primitive cipher in order to obfuscate its code, outsmarting antivirus products.

Checkpoint explains: "This simple obfuscation technique allows it to go undetected by most of the AntiVirus products ... Each batch file contains these two lines"

At runtime characters from the bottom set are mapped onto the corresponding character in the top set, de-obfuscating the code.