Skip to content

S0530 Melcoz

Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.1

Item Value
ID S0530
Associated Names
Version 1.0
Created 10 November 2020
Last Modified 22 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1185 Browser Session Hijacking Melcoz can monitor the victim’s browser for online banking sessions and display an overlay window to manipulate the session in the background.1
enterprise T1115 Clipboard Data Melcoz can monitor content saved to the clipboard.1
enterprise T1059 Command and Scripting Interpreter Melcoz has been distributed through an AutoIt loader script.1
enterprise T1059.005 Visual Basic Melcoz can use VBS scripts to execute malicious DLLs.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Melcoz has the ability to steal credentials from web browsers.1
enterprise T1565 Data Manipulation -
enterprise T1565.002 Transmitted Data Manipulation Melcoz can monitor the clipboard for cryptocurrency addresses and change the intended address to one controlled by the adversary.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Melcoz can use DLL hijacking to bypass security controls.1
enterprise T1105 Ingress Tool Transfer Melcoz has the ability to download additional files to a compromised host.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Melcoz has been packed with VMProtect and Themida.1
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Melcoz has been spread through malicious links embedded in e-mails.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Melcoz can use MSI files with embedded VBScript for execution.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Melcoz has gained execution through victims opening malicious links.1