Hive0147 Serving Juicy Picanha With a Side of Mekotio
IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution.
After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named “Picanha”, likely under continued development., deploying the Mekotio banking trojan. Hive0147 also distributes other banking trojans, such as Banker.FN also known as Coyote, and is likely affiliated with several other Latin American cybercrime groups operating different downloaders and banking trojans to enable banking fraud.
- Hive0147 is one of the most active URL-based phishing threat actors targeting LATAM
- Malware distributed by Hive0147 has led to a variety of banking trojans, including Banker.FN and Mekotio
- X-Force discovered a new two-stage downloader named Picanha, which was used to facilitate a Mekotio infection
- The Mekotio variant observed by X-Force targets a multitude of banking applications and uses DGA to resolve its C2 servers
LATAM has increasingly become a highly targeted cyber threat landscape, and specifically in Brazil and Mexico, where economies and industries show strong development. Evolving digital landscapes can be seen expanding into government services and financial technologies, including mobile banking. The 2023 Latin America E-commerce Blueprint found that e-commerce will steadily grow at least annually by 20% due to improved technology, innovations from online platforms, and the adoption of alternative payment methods. In 2023, 71% of adults in the region had a financial account, and it is estimated that between 2023 and 2026, 33 million new users will use the internet for the first time. E-commerce in LATAM, including retail and other sectors like tax payments, fees and licenses, bill payments, and government services, dominate with 70% of e-commerce transactions conducted over mobile channels since 2020. Conducting transactions over mobile channels gives users the flexibility to store user credentials in digital wallets and initiate real-time bank transfers. For example, Brazil’s ‘Pix’ payment platform accounts for 16% of the region’s e-commerce transaction volume. By 2026, it is estimated that Pix growth will account for 38% of online sales. With increasing digital developments in LATAM, specifically with e-commerce platforms, IBM X-Force assesses malware distributors such as Hive0147 are taking advantage of the growth. Malware distributors operating within LATAM are increasing phishing campaign delivery in hopes of obtaining credentials, specifically banking credentials, for monetary gain. Throughout 2023, LATAM remained a highly impacted region, accounting for 12% of incident response cases supported by IBM X-Force. In 2023, entities and users [AS1] in Brazil were most frequently targeted, making up 68% of all cases that IBM X-Force responded to in LATAM, while users in Colombia accounted for 17%, and users in Chile 8%.
IBM X-Force tracks several threat actors operating in LATAM, although attribution and clustering can be difficult due to overlapping tactics, techniques, and procedures (TTPs). Phishing campaigns within the LATAM region typically contain themes related to public service, government, taxes, and invoices, with the email bodies including either Portuguese or Spanish language content. Often, infection chains consist of multiple stages, starting with either PDF lures or URLs. Cloud-hosted payloads commonly observed in campaigns use platforms such as Azure blob (blob.core.windows.net), Azure (cloudapp.azure.com), Firebase dynamic links, GoDaddy (host.secureserver.net) and Google Cloud Run (app.goo.gl). When users click on one of the provided links, they are redirected and initiate the download of a ZIP archive file. Depending on the campaign, X-Force notes the ZIP files might contain one of the following file types: MSI, EXE, CMD, HTA or VBS. Executing the ZIP file starts the infection chain, with some distributors being partial to specific malwares such as BlotchyQuasar (Hive0129), Guildma and some Grandoreiro operators, while others use different payloads and a variety of forks. Frequently, email campaigns containing redirect links are geofenced, requiring the user to access the links within a specific LATAM country (most commonly Brazil, Mexico, or Colombia).
Hive0147 is one of the most active banking malware distributors IBM X-Force observes that currently operates in LATAM. IBM X-Force has been tracking a steady influx of campaigns grouped under Hive0147 delivering the banking trojan Banker.FN, as well as a new Golang-based downloader we’ve named “Picanha,” deploying the well-known Mekotio banking trojan. Although we do not attribute this new downloader to Hive0147 specifically, IBM X-Force assesses that LATAM distributors operate under a similar model as other cybercrime groups, with affiliate groups specializing in spamming, malware staging or crypting, and banking trojan operations and monetization.
Most of Hive0147’s emails are sent from French IP addresses, although there has been a recent shift to emails almost exclusively being sent from Dutch IP addresses. Shifting the location of sender IP addresses may be an attempt to evade detection and bypass security, prevent IP blocking, or make attribution difficult. Interestingly, of the campaign activity observed since January, IBM X-Force found that about half of the emails have a successful DomainKey Identified Mail (DKIM) verification. DKIM is a method in which signatures are used to verify the authenticity of an email message to ensure that it did not change during transit. Emails with successful DKIM checks may have a higher likelihood of not being flagged as spam. For Hive0147, failed DKIM checks may have been a misconfiguration on the actor’s part, or the result of using different services or infrastructure that do not support DKIM.
During phases of activity, IBM X-Force has observed Hive0147 exhibit a significantly higher volume of activity compared to other LATAM malware distributors. Since January 2024, IBM X-Force notes that activity attributed to Hive0147 occurs on all days during the week; however, activity mainly occurs Monday to Thursday, with 80% of campaign emails sent on these days. Interestingly, from April to July, we saw an almost complete stop in [AS2] activity, which may be the result of higher-than-normal domestic travel. Brazil’s travel industry is growing rapidly, which can be seen in the increase in both domestic and international air traffic. The National Civil Aviation Agency (ANAC) reported a significant increase in flight passenger traffic of 4.4% between January and June 2024, recording 56.2 million passengers. In addition, the International Air Transport Association (IATA) reported that in July 2024, domestic tourism in Brazil grew a substantial 8.9%. [JR3] [MF4]
Figure 1 Hive0147 Active Campaign Days
Figure 2 Hive0147 Top Six IP Usage by Country
Figure 3 Hive0147 DKIM Success and Permanent_error
IBM X-Force has been tracking and clustering a series of campaigns as Hive0147 since 2023[JR5] [GM6] , which have been delivering the banking trojan Banker.FN. Banker.FN is a .NET-based banking trojan first reported in early 2023, with activity dating back to at least September 2022. Since then, Banker.FN has received several updates with added functionality.
Banker.FN is able to:
- Exfiltrate sensitive information
- Enumerate active banking websites
- Display fake logins and multi-factor authentication windows
IBM X-Force attributes campaigns delivering Banker.FN to Hive0147 with medium confidence, as activity can be difficult to delineate from other LATAM distributors due to TTP overlaps. IBM X-Force considers the reported Banker.FN campaigns from July 2023 to likely November 2023 as Hive0147 operations.
Emails | Cloud-hosted Payloads | ZIP Download | Use of Electron App | Installer | NIM Loader | Filenames |
Sent during the week (either by X-Force observance or via ZIP file compile dates) | X-Force observed goo.gl URLs or unknown | Yes | Yes | NSIS transition to Squirrel | Yes | All similar containing variations and combinations of “PDF, Fatur, Mensal, doc” |
Scroll to view full table
In late July-August 2023, X-Force observed Banker.FN version 1.0.0.89 being distributed in high-volume email campaigns. Campaigns were active during the weekdays, targeting users in Brazil with emails written in themes related to invoices and deliveries. Emails contained an embedded “app.goo[.]gl” link, redirecting users to Firebase dynamic links to download a malicious Electron app acting as a loader. Upon installation, the loader goes through several infection stages including a Nim-compiled crypter to stealthily inject the final payload. The banking trojan is then able to exfiltrate sensitive information, enumerate active banking websites, and display fake logins and multi-factor authentication windows.
[AS7] [GM8]
Figure 4 Examples of Fake Multi-Factor Authentication Windows
IBM X-Force observed the distribution of Banker.FN again in late August 2023, this time delivered via DocuSign. Although emails were sent Friday-Monday, most emails were delivered on Friday. The campaign targeted Portuguese-speaking users and directed the recipient to review and sign a document by clicking on a Firebase dynamic link. The victim is then redirected to a dropper site, which upon resolving the domain will download a ZIP file on to the victim machine. The downloaded ZIP archive contains an executable posing as a PDF file, which is a malicious Electron app built into a Squirrel.Windows installer. Upon execution, it installs its malicious components, establishes persistence, detects virtual environments, and decrypts the next stage before executing it via DLL hijacking.
Figure 5 Sample Email
The Electron app built into a Squirrel.Windows installer is a slight change from the previous campaign, where the Electron app was built into an NSIS installer. The app, however, is built the same and contains an obfuscated Javascript installer to check for common virtual machine environments before establishing persistence and decrypting an archive containing another trojanized application. The trojanized application executes a legitimate executable, which in turn executes a bloated malicious loader via DLL hijacking, continuing the attack execution. This campaign continues with the use of a Nim-compiled loader using more advanced techniques such as direct syscalls.
Further reports made public in February and July 2024, detail campaigns likely occurring in late-2023 delivering a purported new malware named “Coyote,” however, the malware is a banking trojan first discovered by ESET called Banker.FN. The infection chain in both campaigns involve the Squirrel installer for malware distribution, as well as NodeJS, and Nim Loader.
The ecosystem of LATAM banking trojans is unique in comparison to other cybercrime operations. It is one of the only regions in which banking trojans are still used heavily to commit banking fraud, while most other banking trojans have since moved on to become backdoors and botnets to furnish ransomware attacks. The threat groups operating out of LATAM and Spain also display a high degree of cross-group collaboration, while sticking to their tried-and-true techniques, seldom found in other regions. Although this does help to quickly identify a “Latin American banking trojan” group or campaign, attribution is often very challenging due to the strong overlaps. Different malware strains will often use similar string encryption algorithms, and several banking trojans are believed to be operated as Malware-as-a-Service or have several independently developed and operated forks. The same applies to the malware distributors, which mainly rely on shared techniques such as public cloud hosting, and phishing emails containing PDFs and malicious URLs to download ZIP archives containing the first stage malware.
In most cases, the first stage is a downloader type malware. These come in all shapes and sizes and can have varying levels of complexity. A large portion of downloaders are script based, often featuring lengthy infection chains comprised of scripts including Batch, JavaScript, Visual Basic Script or PowerShell, and the scripts themselves may also be embedded in files such as HTML, LNK (Guildma especially), or MSI installers. The more complex downloaders often support some very basic enumeration on the host, which they pass back to their C2/download server, in order to notify the operators of the potential value of an infection. One example is the Grandoreiro downloader, a member of the Grandoreiro family which features its own string encryption and performing detailed enumeration before downloading the main banking trojan.
Other downloaders are more generic but are also used to download banking trojans such as Grandoreiro. What the latter have in common is that they almost always download a full archive containing a legitimate application, with the malware hidden in a trojanized DLL which is loaded by the application upon execution. The reason for this method of packaging and distribution is so that any potentially suspicious activity performed by the banking trojan to appears to EDR solutions as if it is coming from a legitimate executable’s process. This recurring technique is characteristic of the LATAM ecosystem and has been a distinctive feature for several years. In mid-2024, IBM X-Force observed a campaign delivering a new downloader exhibiting the same characteristics. X-Force named the new Golang-based downloader “Picanha.”
The Picanha downloader is the next evolution of this malware type, offering enhanced features such as supporting more download URLs, reliable encryption, and a more sophisticated in-memory execution mechanism, surpassing previous downloader capabilities. However, the builder for Picanha, which is responsible for creating the random function names and other values, is likely still under development. Frequent code changes, such as bugfixes, and the presence of unused configuration values, may further indicate that future versions could include additional features such as persistence for the downloaded payload.
In July 2023, IBM X-Force observed an email campaign using the new Golang-based downloader Picanha to deliver the Mekotio banking trojan. The initial phishing email is in Portuguese and targets employees informing them of an apparent change in the number of vacation days they have. This theme directly threatening employees’ well being and the sense of urgency may lead to victims impulsively clicking on the included URL to view the changes.
Figure 6 Sample Phishing Email
As in previous campaigns targeting LATAM entities, the URL uses Google’s Cloud Run service and redirects victims to a site to download a ZIP file containing a malicious executable. The new Golang-based malware “Picanha downloader” consists of two stages.
Notably, the first stage of the Golang executable contains original function names; however, these have been selected randomly for each sample based on a Portuguese wordlist:
Figure 7 Wordlist
First, Picanha begins by executing a function designed to imitate the Sleep command. The function calculates the elapsed time and performs random calculations until a randomly chosen threshold is reached. The calculation time varies from 25 seconds to 3 minutes. This technique is likely to hinder or slow down detection engines which are often able to hook the Sleep API and skip the dormant functionality.
Then, Picanha decrypts its configuration, which is stored as a hardcoded hex string encrypted with AES-256-GCM.
Figure 8 Encrypted Configuration
The decrypted configuration string contains values delimited by the characters “#” and “|”:
dyicn.ofertadsn.com.br#hzfzx.khadicomunicacao.com.br#zpguk.cozinhaofertas.com#ljoea.curasdanatureza.com#tjqty.deccsmagazine.com.br#sohye.topracoes.com#jmaah.clicktelefoniaempresarial.com.br#izlhu.ometodoseroficial.com#khqry.vitapronobisfassolution.com.br#olukv.familyrealstore.com#################|C:\Program Files\Topaz OFD\Warsaw|reg=Software\Microsoft\Windows\CurrentVersion\Run|\Microsoft\Windows|secretores |
Scroll to view full table
The decrypted configuration consists of:
- 10 different download domains
- The file path of Topaz OFD – an online banking security app popular in Latin America
- A registry key commonly used for persistence – currently unused
- The relative path “\Microsoft\Windows” – currently unused
- A random word used as the name of the folder to store the payload
Picanha will then create a new folder in a randomly chosen folder within the %LOCALAPPDATA% directory. For the analyzed sample based on the above config, the folder would be named “secretores.”
Next, the malware enters a loop and attempts to connect to each of the 10 embedded download domains until one is successful. Between the requests, the malware sleeps in random intervals. For each domain, it constructs a full URL and attempts to download a payload. If the request is successful, it will parse the payload as a ZIP archive and extract the contents into the newly created directory.
Figure 9 Loop Attempting Connections to Embedded Domains
After that, the malware checks for the presence of the Topaz OFD banking security protection module is installed by verifying if the path “C:\Program Files\Topaz OFD\Warsaw” exists on the system. Depending on the result, Picanha issues a second HTTP GET request to the following URL using the same domain as for the ZIP download:
https://<domain>/N -> Not installedhttps://<domain>/S -> Installed |
Scroll to view full table
Finally, Picanha launches the main executable which was extracted from the ZIP archive. As often seen with infection chains of related banking trojans, the main executable is a legitimate application which loads a trojanized DLL, in this case, named NsBars.dll.
In the example above, the extracted archive contains innocuous files related to the legitimate application and the following three files used for the next steps of the infection chain:
Relative path | Description | SHA256 |
.\Textoescritor.exe | Legitimate application | 39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012 |
.\bin\NsBars.dll | Malicious DLL (Picanha Stage 2), replacing the original NsBars.dll | 4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e |
.\wFHYfjQNzkoG.dat | Encrypted Mekotio payload | 18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b |
Scroll to view full table
Picanha’s first stage terminates after executing Textoescritor.exe. The legitimate application goes on to load a series of user DLLs from the “bin” subdirectory, including the trojanized NsBars.dll. When NsBars.dll is loaded, the export function “BarCreate” is called. The code in this function is responsible for executing the second stage of Picanha.
Picanha’s second stage starts with the decryption of the final payload (Mekotio), which requires two arguments to proceed:
- The filename of the encrypted payload “wFHYfjQNzkoG.dat”
- A decryption password “hNWzPAsZVruI”
The final payload is decrypted in memory using the SHA256 hash of the password as a key for the AES-256-GCM algorithm.
Finally, the address of the decrypted Mekotio payload is passed to a loader function to manually map the binary into a new buffer in memory and resolve its imports. The loader function retrieves the entry point of the Mekotio payload and transfers execution to it.
The Mekotio banking trojan is a Delphi-compiled executable, in this case a 64-bit DLL. Execution begins in the main class with the FormCreate function which attempts to retrieve handles to the following DLLs used by banking security applications:
wslbscr32.dllwslbscrwh32.dllRapportGH.dllrooksbas.dllrooksdol.dll |
Scroll to view full table
If they were already loaded into memory, Mekotio would attempt to unload the DLLs by calling DllMain with the DLL_PROCESS_DETACH parameter. However, a simple error in the code causes this functionality to fail due to to an encrypted string missing its decryption function:
Figure 10 Decryption Function
The next interesting piece of code uses SetSecurityInfo to modify the discretionary access control list (DACL) of its process, setting it to a new empty DACL.
Figure 11 Empty DACL
This prevents Windows 7 users from using Windows Task Manager to terminate the process.
Figure 12 Error Message
However, users can still terminate the process from Administrator mode in the Task Manager and the technique does not work in Windows 8.1 and above.
Mekotio also loads two DLLs needed during execution, “Magnification.dll” and “dwmapi.dll”. Finally, the malware begins its enumeration procedure and initiates command and control (C2) communication. Like most other Delphi-based banking trojans, the different classes and functions implementing the various features of the malware are scheduled via Delphi Timer objects.
Upon execution Mekotio establishes persistence using a registry key. It writes the path of the running executable (the legitimate binary loading the Picanha stage 2 DLL) to the following key, causing Mekotio to execute immediately after every login. At the same time a file “maisum2.dat” is dropped into the current directory, as an indicator that persistence was established successfully.
HKEY_CURRENT_USER\Environment\UserInitMprLogonScript |
Scroll to view full table
In addition, Mekotio is able to accept a C2 command requesting to establish persistence through another registry key. In that case, the banking trojan runs cmd.exe with the “REG ADD” command to write the same path to:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Scroll to view full table
Mekotio begins its first C2 connection with an HTTP POST request, sending an encrypted string containing basic enumeration data on the newly infected client. For example:
dqbw802=7mvejj3zfwoD5880AhFzv62fA3n7sz8oB4nBoAB3Da&Bcdv2=D929321e3a0651A0ae94b2979e&by4ps8=067DAF75a59388eb63d56AD1474EB73F&40z0uuE=9034F4&y1ry=86FD5dF9&h5i2c8cD3=F37c8880819a78d86bF55BE04e&5c9mt=&zwCbcq=6E8389839392D52FEA31D356C73bA429ac53&83whhjc=& |
Scroll to view full table
The data is formatted using the following pattern:
<random_string>=<value1>&<random_string>=<value2>&<random_string>=<value3>… |
Scroll to view full table
The first value is a randomly generated 42-character key, which decrypts all other values using the standard Mekotio string encryption algorithm. The encrypted values contain the following system information:
- Computer name
- Username
- Windows version
- Mekotio version string “D22”
- Installed security software (Topaz OFD, Trusteer, Banco Bradesco “Componentes de Segurança”)
- Installed anti-virus software
The analyzed sample does not contain a valid URL, which in turn causes the C2 request to fail. As often observed in related banking trojans, this might well be a deprecated functionality not properly cleaned up.
The rest of the banking trojan’s functionality may use a choice of two different DGA mechanisms to generate a domain and resolve its C2 server. Afterwards, the actual Mekotio C2 communication is performed via Windows Sockets.
The first DGA mechanism, when the DGA mode configuration value is set to 1, generates a new domain based on the following data:
- Day of the month
- Month of the year
- Hardcoded seed “mkro”
The resulting strings are then concatenated. For September 16th for instance, the result is “1609mkro.”
For a DGA mode set to 2, Mekotio also incorporates the hour of the day within a specific period. The following time frames are mapped to a specific string:
Time is less than | Mapped string |
07:00:00 | “AM01” |
08:00:00 | “AM02” |
09:00:00 | “AM03” |
10:00:00 | “AM04” |
11:00:00 | “AM05” |
12:00:00 | “AM06” |
13:00:00 | “PM01” |
14:00:00 | “PM02” |
15:00:00 | “PM03” |
16:00:00 | “PM04” |
17:00:00 | “PM05” |
18:00:00 | “PM06” |
Scroll to view full table
The second DGA method uses the provided string to concatenate the following data:
- Day of the week
- Day of the month
- Timeframe string
- Hardcoded seed “mkro”
As a result, the second DGA method would form the string “MON16AM04mkro” for the date and time “September 16th at 09:42.”
From this point, both methods are the same. They generate an MD5 hash of the concatenated string and use the first 20 characters as a subdomain. The apex domain is retrieved using a list that corresponds to the current day of the month:
01 blogdns[.]com02 blogdns[.]net03 blogdns[.]org04 blogsite[.]org05 webhop[.]biz06 webhop[.]info07 dnsalias[.]com08 dnsalias[.]net09 dnsalias[.]org10 dnsdojo[.]com11 doesntexist[.]com12 doesntexist[.]org13 dontexist[.]com14 dontexist[.]net15 dontexist[.]org16 doomdns[.]com17 doomdns[.]org18 dvrdns[.]org19 dyn-o-saur[.]com20 dynalias[.]com21 dynalias[.]net22 dynalias[.]org23 dynathome[.]net24 endofinternet[.]net25 endofinternet[.]org26 endoftheinternet[.]org27 webhop[.]org28 issmarterthanyou[.]com29 neat-url[.]com30 from-ks[.]com31 dyndns-remote[.]com |
Scroll to view full table
For both methods explained above, the final C2 domains are:
3cd99dd0981c76e5a7b9[.]doomdns[.]com4e342df890dd9fb169e0[.]doomdns[.]com |
Scroll to view full table
Mekotio also supports a C2 mode of 0, which is likely meant as a fallback or testing channel, and contains a hardcoded IP address to be used as C2 server:
Just like most other banking trojans, all specific functionality of Mekotio requires sensitive strings. These are decrypted at runtime to avoid static detections. Mekotio uses an old algorithm which is among the most common ones in LATAM banking trojans, and has been used as such or in slight variations with other bankers including Grandoreiro, Ousaban and Astaroth/Guildma. It has been documented numerous times before, but the following is an example Python implementation:
def decrypt(ct, key): plaintext = “” ct = bytes.fromhex(ct) for i in range(1, len(ct)): n = ct[i] ^ key[(i-1) % len(key)] c = ct[i-1] c = n – c if c < n else n + int(0xff) – c plaintext += chr(c) return plaintext |
Scroll to view full table
The main objective of Mekotio or any other LATAM banking trojan is to discover the use of banking applications and attempt to manipulate the apps, web apps or the users themselves to commit banking fraud. The initial discovery of targeted banking applications, the banking trojans include a list of strings containing the names of common financial institutions and their related apps. This list is constantly compared against any open windows on the infected machine. If there is a match, the banking trojan will inform the operator which exact application is used. Mekotio contains the following list indicating a clear targeting towards banking apps used throughout LATAM:
BancoDaycovalBancoMercantilCCBBrasilagibankaplicativoitaasaasatendimentoitabadesulbancoalfabancobmgbancobradescobancobs2bancodaamazoniabancodobrasilbancodoestadodoparbancodonordestebancointerbancoitabancomercantilbancooriginalbancorendimentobancotopaziobancovotorantimbanesedoseujeitobanestesbanrisulbbcombrbdmgdigitalbinancebitcointradebitfinexbitprecobitstampblockchainbnb.gov.brbradescobraziliexbrbbanknetcitibankciviacontaonlinecontasimplescoopcredcoracredinetcredisiscreditrancredsiscresolinternetbankinggerenciadorfinanceirohomebankinternetbanking.banparainternetbankingcaiitauaplicativo.exelogincaixaloginxmercadobitcoinmercadopagonavegadorexclusivopaguevelozpicpaypoloniexprimebitprimexbtpro.bitcointoyourecargapaysafranetbankingsantandsicoobsicredisisprimesisprimesofisastonetribancounicreduniprimeviacrediwise |
Scroll to view full table
When one of the referenced banking applications is detected, Mekotio can handle specific commands. These commands implement the following functionality:
- Lock the applications window to prevent users from exiting
- Grab input from the window, which might include credentials and tokens
- Create a fake window imitating the banking application to capture credentials or tokens
- Display or capture a QR code, which may be used to circumvent multi-factor authentication (MFA)
- Display a token again to circumvent MFA
Mekotio contains several images designed to imitate banking applications:
Figure 13 Readily Available Application Images
Figure 14 Readily Available Application Images
Figure 15 Readily Available Application Images
Figure 16 Readily Available Application Images
In addition, Mekotio supports a list of further commands to control the infected machine, including commands to:
- Send keystrokes, mouse movement, clicks or scrolls
- Display windows with custom text
- Send or receive clipboard data
- Change C2 modes
- Beacon/Ping C2
- Kill process “core.exe” associated with banking security software
- Kill browsers
- Maximize browser windows
- Show taskbar
- Send system enumeration data
- Take screenshots
- Constantly check for windows such as “Task Manager” and “Warning” and immediately close them
Another interesting functionality exhibited by Mekotio is a feature internally called “Troca sistema de lugar”, which roughly translates to “Change system location” (Portuguese machine translation). Mekotio will send an HTTP GET request to retrieve an encrypted string stored at:
https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my |
Scroll to view full table
The string contains a key and encrypted data between hardcoded separators, which reveal a list of further download URLs hosted on Google Firebase:
https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135 |
Scroll to view full table
Both URLs host the same 40KB JSON file. Mekotio downloads this file as part of the next stage of the process.
Figure 17 JSON File Contents
The JSON file contains two lists, “diretorioraiz” and “nomesdiretorio.” The former contains four system directories, and the latter is what appears to be a large list of folder names related to video games. Although the exact purpose of this contents is not clear, Mekotio appears to randomly select and create a folder from the list and copy its archive to the new location. Afterwards, it re-establishes persistence through the registry run key.
Hive0147 is just one of dozens of malware distributors enabling the cybercrime ecosystem in LATAM. IBM X-Force is observing an increase in threats targeting the region with newly developed malware such as Picanha, and high volumes of phishing campaigns. Ultimately, the close collaboration between LATAM cybercrime groups should urge defenders to collaborate just as closely. By making full use of threat intelligence to stay informed about the latest threats and best practices, individuals and organizations can mitigate the risks associated with banking trojans and protect themselves from financial loss. To combat these threats and ensure a secure digital future for the region requires a strong cooperation between governments, financial institutions, law enforcement, and security researchers.
Technical recommendations:
IBM X-Force encourages organizations that may be impacted by these campaigns to review the following recommendations:
- Exercise caution with emails and PDFs prompting a file download
- Monitor emails for URLs abusing cloud service domains such as “app.goo.gl” for phishing
- Monitor registry Run keys used for persistence
- HKEY_CURRENT_USER\Environment\UserInitMprLogonScript
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Consider blocking pre-calculated DGA domains via DNS
- Install and configure endpoint security software
- Update relevant network security monitoring rules
- Educate staff on the potential threats to the organization
Indicators of compromise:
Indicator | Indicator Type | Context |
https://yhv6e.app.goo[.]gl/ASmaxYfRW4Eh9j34A | URL | Hive0147 phishing URL |
https://xek99.app.goo[.]gl/g21ytBravSMDQb7H6 | URL | Hive0147 phishing URL |
d5800c06fe27cf0c6858ea7e02c8b2d35d7a76a93077f9ca6e41878603c38ef3 | SHA256 | Picanha Downloader stage 1 |
olukv[.]familyrealstore[.]com | Domain | Picanha download domain |
khqry[.]vitapronobisfassolution[.]com[.]br | Domain | Picanha download domain |
izlhu[.]ometodoseroficial[.]com | Domain | Picanha download domain |
jmaah[.]clicktelefoniaempresarial[.]com[.]br | Domain | Picanha download domain |
sohye[.]topracoes[.]com | Domain | Picanha download domain |
tjqty[.]deccsmagazine[.]com[.]br | Domain | Picanha download domain |
ljoea[.]curasdanatureza[.]com | Domain | Picanha download domain |
zpguk[.]cozinhaofertas[.]com | Domain | Picanha download domain |
hzfzx[.]khadicomunicacao[.]com[.]br | Domain | Picanha download domain |
dyicn[.]ofertadsn[.]com[.]br | Domain | Picanha download domain |
39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012 | SHA256 | Legitimate application |
4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e | SHA256 | Picanha stage 2 DLL |
18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b | SHA256 | Encrypted Mekotio payload |
6a5db2fe1deabd14864a8d908169e4842c611581bdc3357fa597a8fbbc37baf6 | SHA256 | Decrypted Mekotio banking trojan |
3cd99dd0981c76e5a7b9[.]doomdns[.]com | Domain | Mekotio example DGA domain |
4e342df890dd9fb169e0[.]doomdns[.]com | Domain | Mekotio example DGA domain |
177.235.219[.]126 | IP | Mekotio fallback C2 server |
https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my | URL | Mekotio component download URL |
https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7 | URL | Mekotio component download URL |
https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135 | URL | Mekotio component download URL[JR9] |
Scroll to view full table
[AS1]Entities or Users?
[AS2]Complete drop or a complete stop? Can you have a complete drop?
[JR3]Does this seem extraneous? Do we need the air travel data to make this point? Seems a bit random/tack-on.
[MF4]Put this in there to support the assessment.
[JR5]Is this supposed to be 2023? Or something else?
[GM6]Typo fixed
[AS7]Are Trusteer aware of this use?
[GM8]If I remember correctly they have been made aware when the Flash went out in 2023, and in a previous blog as well I believe
[JR9]How is/are this data set being referenced above? I’m not sure I make the connection between the table and the reccos above…do we need to be more clear about that?