S0530 Melcoz
Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.1
| Item | Value |
|---|---|
| ID | S0530 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 November 2020 |
| Last Modified | 22 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1185 | Browser Session Hijacking | Melcoz can monitor the victim’s browser for online banking sessions and display an overlay window to manipulate the session in the background.1 |
| enterprise | T1115 | Clipboard Data | Melcoz can monitor content saved to the clipboard.1 |
| enterprise | T1059 | Command and Scripting Interpreter | Melcoz has been distributed through an AutoIt loader script.1 |
| enterprise | T1059.005 | Visual Basic | Melcoz can use VBS scripts to execute malicious DLLs.1 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Melcoz has the ability to steal credentials from web browsers.1 |
| enterprise | T1565 | Data Manipulation | - |
| enterprise | T1565.002 | Transmitted Data Manipulation | Melcoz can monitor the clipboard for cryptocurrency addresses and change the intended address to one controlled by the adversary.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | Melcoz can use DLL hijacking to bypass security controls.1 |
| enterprise | T1105 | Ingress Tool Transfer | Melcoz has the ability to download additional files to a compromised host.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Melcoz has been packed with VMProtect and Themida.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | Melcoz has been spread through malicious links embedded in e-mails.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Melcoz can use MSI files with embedded VBScript for execution.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Melcoz has gained execution through victims opening malicious links.1 |