IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution.

After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named “Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147 also distributes other banking trojans, such as Banker.FN also known as Coyote, and is likely affiliated with several other Latin American cyber crime groups operating different downloaders and banking trojans to enable banking fraud.

Key findings

  • Hive0147 is one of the most active URL-based phishing threat actors targeting LATAM
  • Malware distributed by Hive0147 has led to a variety of banking trojans, including Banker.FN and Mekotio
  • X-Force discovered a new two-stage downloader named Picanha, which was used to facilitate a Mekotio infection
  • The Mekotio variant observed by X-Force targets a multitude of banking applications and uses DGA to resolve its C2 servers

LATAM digital landscape

LATAM has increasingly become a highly targeted cyber threat landscape, specifically in Brazil and Mexico, where economies and industries show strong development. Evolving digital landscapes can be seen expanding into government services and financial technologies, including mobile banking. The 2023 Latin America E-commerce Blueprint found that e-commerce will steadily grow by at least 20% annually due to improved technology, innovations from online platforms and the adoption of alternative payment methods. In 2023, 71% of adults in the region had a financial account, and it is estimated that between 2023 and 2026, 33 million new users will use the internet for the first time. E-commerce in LATAM, including retail and other sectors like tax payments, fees and licenses, bill payments and government services, has dominated with 70% of e-commerce transactions conducted over mobile channels since 2020. Conducting transactions over mobile channels gives users the flexibility to store user credentials in digital wallets and initiate real-time bank transfers. For example, Brazil’s ‘Pix’ payment platform accounts for 16% of the region’s e-commerce transaction volume. By 2026, it is estimated that Pix growth will account for 38% of online sales. With increasing digital developments in LATAM, specifically with e-commerce platforms, IBM X-Force assesses malware distributors such as Hive0147 are taking advantage of the growth. Malware distributors operating within LATAM are increasing phishing campaign delivery in hopes of obtaining credentials, specifically banking credentials, for monetary gain. Throughout 2023, LATAM remained a highly impacted region, accounting for 12% of incident response cases supported by IBM X-Force. In 2023, entities and users in Brazil were most frequently targeted, making up 68% of all cases that IBM X-Force responded to in LATAM, while users in Colombia accounted for 17%, and users in Chile 8%.

IBM X-Force tracks several threat actors operating in LATAM, although attribution and clustering can be difficult due to overlapping tactics, techniques and procedures (TTPs). Phishing campaigns within the LATAM region typically contain themes related to public service, government, taxes and invoices, with the email bodies including either Portuguese or Spanish language content. Often, infection chains consist of multiple stages, starting with either PDF lures or URLs. Cloud-hosted payloads commonly observed in campaigns use platforms such as Azure blob (blob.core.windows.net), Azure (cloudapp.azure.com), Firebase dynamic links, GoDaddy (host.secureserver.net) and Google Cloud Run (app.goo.gl). When users click on one of the provided links, they are redirected and initiate the download of a ZIP archive file. Depending on the campaign, X-Force notes the ZIP files might contain one of the following file types: MSI, EXE, CMD, HTA or VBS. Executing the ZIP file starts the infection chain, with some distributors being partial to specific malware such as BlotchyQuasar (Hive0129), Guildma and some Grandoreiro operators, while others use different payloads and a variety of forks. Frequently, email campaigns containing redirect links are geofenced, requiring the user to access the links within a specific LATAM country (most commonly Brazil, Mexico or Colombia).

Hive0147 is one of the most active banking malware distributors IBM X-Force observes that currently operates in LATAM. IBM X-Force has been tracking a steady influx of campaigns grouped under Hive0147 delivering the banking trojan Banker.FN, as well as a new Golang-based downloader we’ve named “Picanha,” deploying the well-known Mekotio banking trojan.  Although we do not attribute this new downloader to Hive0147 specifically, IBM X-Force assesses that LATAM distributors operate under a similar model as other cyber crime groups, with affiliate groups specializing in spamming, malware staging or crypting, and banking trojan operations and monetization.

Hive0147 distribution activity

Most of Hive0147’s emails are sent from French IP addresses, although there has been a recent shift to emails almost exclusively being sent from Dutch IP addresses. Shifting the location of sender IP addresses may be an attempt to evade detection and bypass security, prevent IP blocking or make attribution difficult. Interestingly, of the campaign activity observed since January, X-Force found that about half of the emails have a successful DomainKey Identified Mail (DKIM) verification. DKIM is a method in which signatures are used to verify the authenticity of an email message to ensure that it did not change during transit. Emails with successful DKIM checks may have a higher likelihood of not being flagged as spam. For Hive0147, failed DKIM checks may have been a misconfiguration on the actor’s part or the result of using different services or infrastructures that do not support DKIM.

During phases of activity, IBM X-Force has observed Hive0147 exhibit a significantly higher volume of activity compared to other LATAM malware distributors. Since January 2024, X-Force notes that activity attributed to Hive0147 occurs on all days during the week; however, activity mainly occurs Monday to Thursday, with 80% of campaign emails sent on these days. Interestingly, from April to July, we saw an almost complete stop in activity, which may be the result of higher-than-normal domestic travel. Brazil’s travel industry is growing rapidly, which can be seen in the increase in both domestic and international air traffic. The National Civil Aviation Agency (ANAC) reported a significant increase in flight passenger traffic of 4.4% between January and June 2024, recording 56.2 million passengers. In addition, the International Air Transport Association (IATA) reported that in July 2024, domestic tourism in Brazil grew by a substantial 8.9%.

Figure 1: Hive0147 active campaign days

Figure 2: Hive0147 top six IP usage by country

Figure 3: Hive0147 DKIM success and permanent_error

Hive0147 and Banker.FN

IBM X-Force has been tracking and clustering a series of campaigns as Hive0147 since 2023, which have been delivering the banking trojan Banker.FN. Banker.FN is a .NET-based banking trojan first reported in early 2023, with activity dating back to at least September 2022. Since then, Banker.FN has received several updates with added functionality.

Banker.FN is able to: 

  • Exfiltrate sensitive information
  • Enumerate active banking websites
  • Display fake logins and multi-factor authentication windows 

IBM X-Force attributes campaigns delivering Banker.FN to Hive0147 with medium confidence, as activity can be difficult to delineate from other LATAM distributors due to TTP overlaps. X-Force considers the reported Banker.FN campaigns from July 2023 to likely November 2023 as Hive0147 operations.

Campaign elements between July to November 2023:

EmailsCloud-hosted Payloads ZIP DownloadUse of Electron AppInstallerNIM LoaderFilenames
Sent during the week (either by X-Force observance or via ZIP file compile dates)X-Force observed goo.gl URLs or unknownYesYesNSIS transition to SquirrelYesAll similar containing variations and combinations of  “PDF, Fatur, Mensal, doc”
Scroll to view full table

Distribution disguised as Electron app

In late July-August 2023, X-Force observed Banker.FN version 1.0.0.89 was being distributed in high-volume email campaigns. Campaigns were active during the weekdays, targeting users in Brazil with emails written in themes related to invoices and deliveries. Emails contained an embedded “app.goo[.]gl” link, redirecting users to Firebase dynamic links to download a malicious Electron app acting as a loader. Upon installation, the loader goes through several infection stages including a Nim-compiled crypter to stealthily inject the final payload. The banking trojan is then able to exfiltrate sensitive information, enumerate active banking websites, and display fake logins and multi-factor authentication windows.

Figure 4: Examples of fake multi-factor authentication Windows

Abusing the Squirrel installer

IBM X-Force observed the distribution of Banker.FN again in late August 2023, this time delivered via DocuSign. Although emails were sent Friday-Monday, most emails were delivered on Friday. The campaign targeted Portuguese-speaking users and directed the recipient to review and sign a document by clicking on a Firebase dynamic link. The victim is then redirected to a dropper site, which upon resolving the domain will download a ZIP file onto the victim’s machine. The downloaded ZIP archive contains an executable posing as a PDF file, which is a malicious Electron app built into a Squirrel.Windows installer. Upon execution, it installs its malicious components, establishes persistence, detects virtual environments and decrypts the next stage before executing it via DLL hijacking.

Figure 5: Sample email

The Electron app built into a Squirrel.Windows installer is a slight change from the previous campaign, where the Electron app was built into an NSIS installer. The app, however, is built the same and contains an obfuscated Javascript installer to check for common virtual machine environments before establishing persistence and decrypting an archive containing another trojanized application. The trojanized application executes a legitimate executable, which in turn executes a bloated malicious loader via DLL hijacking, continuing the attack execution. This campaign continues with the use of a Nim-compiled loader using more advanced techniques such as direct syscalls.

Further reports made public in February and July 2024 detail campaigns likely occurring in late 2023 delivering a purported new malware named “Coyote,” however, the malware is a banking trojan first discovered by ESET called Banker.FN. The infection chain in both campaigns involves the Squirrel installer for malware distribution, as well as NodeJS and Nim Loader.

“Picanha” and the role of downloaders in the banking trojan ecosystem

The ecosystem of LATAM banking trojans is unique in comparison to other cyber crime operations. It is one of the only regions in which banking trojans are still used heavily to commit banking fraud, while most other banking trojans have since moved on to become backdoors and botnets to furnish ransomware attacks. The threat groups operating out of LATAM and Spain also display a high degree of cross-group collaboration, while sticking to their tried-and-true techniques, seldom found in other regions. Although this does help to quickly identify a “Latin American banking trojan” group or campaign, attribution is often very challenging due to the strong overlaps. Different malware strains will often use similar string encryption algorithms, and several banking trojans are believed to be operated as Malware-as-a-Service or have several independently developed and operated forks. The same applies to the malware distributors, which mainly rely on shared techniques such as public cloud hosting and phishing emails containing PDFs and malicious URLs to download ZIP archives containing the first-stage malware.

In most cases, the first stage is a downloader-type malware. These come in all shapes and sizes and can have varying levels of complexity. A large portion of downloaders are script-based, often featuring lengthy infection chains comprised of scripts including Batch, JavaScript, Visual Basic Script or PowerShell, and the scripts themselves may also be embedded in files such as HTML, LNK (Guildma especially) or MSI installers. The more complex downloaders often support some very basic enumeration on the host, which they pass back to their C2/download server, in order to notify the operators of the potential value of an infection. One example is the Grandoreiro downloader, a member of the Grandoreiro family which features its own string encryption and performs detailed enumeration before downloading the main banking trojan.

Other downloaders are more generic but are also used to download banking trojans such as Grandoreiro. What the latter have in common is that they almost always download a full archive containing a legitimate application, with the malware hidden in a trojanized DLL which is loaded by the application upon execution. The reason for this method of packaging and distribution is so that any potentially suspicious activity performed by the banking trojan appears to EDR solutions as if it is coming from a legitimate executable’s process. This recurring technique is characteristic of the LATAM ecosystem and has been a distinctive feature for several years. In mid-2024, IBM X-Force observed a campaign delivering a new downloader exhibiting the same characteristics. X-Force named the new Golang-based downloader “Picanha.”

The Picanha downloader is the next evolution of this malware type, offering enhanced features such as supporting more download URLs, reliable encryption and a more sophisticated in-memory execution mechanism, surpassing previous downloader capabilities. However, the builder for Picanha, which is responsible for creating the random function names and other values, is likely still under development. Frequent code changes, such as bug fixes and the presence of unused configuration values, may further indicate that future versions could include additional features such as persistence for the downloaded payload.

Picanha downloader

In July 2023, IBM X-Force observed an email campaign using the new Golang-based downloader Picanha to deliver the Mekotio banking trojan. The initial phishing email is in Portuguese and targets employees informing them of an apparent change in the number of vacation days they have. This theme directly threatens employees’ well-being and the sense of urgency may lead to victims impulsively clicking on the included URL to view the changes.

Figure 6: Sample phishing email

As in previous campaigns targeting LATAM entities, the URL uses Google’s Cloud Run service and redirects victims to a site to download a ZIP file containing a malicious executable. The new Golang-based malware “Picanha downloader” consists of two stages.

Stage 1

Notably, the first stage of the Golang executable contains original function names; however, these have been selected randomly for each sample based on a Portuguese wordlist:

Figure 7: Wordlist

First, Picanha begins by executing a function designed to imitate the Sleep command. The function calculates the elapsed time and performs random calculations until a randomly chosen threshold is reached. The calculation time varies from 25 seconds to 3 minutes. This technique is likely to hinder or slow down detection engines which are often able to hook the Sleep API and skip the dormant functionality.

Then, Picanha decrypts its configuration, which is stored as a hardcoded hex string encrypted with AES-256-GCM.

Figure 8: Encrypted configuration

The decrypted configuration string contains values delimited by the characters “#” and “|”:

The decrypted configuration consists of: 

  • 10 different download domains
  • The file path of Topaz OFD – an online banking security app popular in Latin America
  • A registry key commonly used for persistence – currently unused
  • The relative path “\Microsoft\Windows” – currently unused
  • A random word used as the name of the folder to store the payload 

Picanha will then create a new folder in a randomly chosen folder within the %LOCALAPPDATA% directory. For the analyzed sample based on the above config, the folder would be named “secretores.”

Next, the malware enters a loop and attempts to connect to each of the 10 embedded download domains until one is successful. Between the requests, the malware sleeps in random intervals. For each domain, it constructs a full URL and attempts to download a payload. If the request is successful, it will parse the payload as a ZIP archive and extract the contents into the newly created directory.

Figure 9: Loop attempting connections to embedded domains

After that, the malware checks for the presence of the Topaz OFD banking security protection module, ensuring it is installed by verifying if the path “C:\Program Files\Topaz OFD\Warsaw” exists on the system. Depending on the result, Picanha issues a second HTTP GET request to the following URL using the same domain as for the ZIP download:

https://<domain>/N -> Not installed
https://<domain>/S -> Installed

Finally, Picanha launches the main executable which was extracted from the ZIP archive. As often seen with infection chains of related banking trojans, the main executable is a legitimate application that loads a trojanized DLL, in this case, named NsBars.dll.

In the example above, the extracted archive contains innocuous files related to the legitimate application and the following three files used for the next steps of the infection chain:

Relative pathDescriptionSHA256
.\Textoescritor.exeLegitimate application39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012
.\bin\NsBars.dllMalicious DLL (Picanha Stage 2), replacing the original NsBars.dll4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e
.\wFHYfjQNzkoG.datEncrypted Mekotio payload18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b
Scroll to view full table

Picanha’s first stage terminates after executing Textoescritor.exe. The legitimate application goes on to load a series of user DLLs from the “bin” subdirectory, including the trojanized NsBars.dll. When NsBars.dll is loaded, the export function “BarCreate” is called. The code in this function is responsible for executing the second stage of Picanha.

Stage 2

Picanha’s second stage starts with the decryption of the final payload (Mekotio), which requires two arguments to proceed: 

  1. The filename of the encrypted payload “wFHYfjQNzkoG.dat”
  2. A decryption password “hNWzPAsZVruI” 

The final payload is decrypted in memory using the SHA256 hash of the password as a key for the AES-256-GCM algorithm.

Finally, the address of the decrypted Mekotio payload is passed to a loader function to manually map the binary into a new buffer in memory and resolve its imports. The loader function retrieves the entry point of the Mekotio payload and transfers execution to it.

Mekotio banking trojan

The Mekotio banking trojan is a Delphi-compiled executable, in this case a 64-bit DLL. Execution begins in the main class with the FormCreate function which attempts to retrieve handles for the following DLLs used by banking security applications:

wslbscr32.dll
wslbscrwh32.dll
RapportGH.dll
rooksbas.dll
rooksdol.dll

If they were already loaded into memory, Mekotio would attempt to unload the DLLs by calling DllMain with the DLL_PROCESS_DETACH parameter. However, a simple error in the code causes this functionality to fail due to an encrypted string missing its decryption function:

Figure 10: Decryption function

The next interesting piece of code uses SetSecurityInfo to modify the discretionary access control list (DACL) of its process, setting it to a new empty DACL.

Figure 11: Empty DACL

This prevents Windows 7 users from using Windows Task Manager to terminate the process.

Figure 12: Error message

However, users can still terminate the process from Administrator mode in the Task Manager and the technique does not work in Windows 8.1 and above.

Mekotio also loads two DLLs needed during execution, “Magnification.dll” and “dwmapi.dll”. Finally, the malware begins its enumeration procedure and initiates command and control (C2) communication. Like most other Delphi-based banking trojans, the different classes and functions implementing the various features of the malware are scheduled via Delphi Timer objects.

Persistence

Upon execution, Mekotio establishes persistence using a registry key. It writes the path of the running executable (the legitimate binary loading the Picanha stage 2 DLL) to the following key, causing Mekotio to execute immediately after every login. At the same time a file “maisum2.dat” is dropped into the current directory, as an indicator that persistence was established successfully.

HKEY_CURRENT_USER\Environment\UserInitMprLogonScript

In addition, Mekotio is able to accept a C2 command requesting to establish persistence through another registry key. In that case, the banking trojan runs

with the “REG ADD” command to write the same path to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Command and control

Mekotio begins its first C2 connection with an HTTP POST request, sending an encrypted string containing basic enumeration data on the newly infected client. For example:

dqbw802=7mvejj3zfwoD5880AhFzv62fA3n7sz8oB4nBoAB3Da&Bcdv2=D929321e3a0651A0ae94b2979e&by4ps8=067DAF75a59388eb63d56AD1474EB73F&40z0uuE=9034F4&y1ry=86FD5dF9&h5i2c8cD3=F37c8880819a78d86bF55BE04e&5c9mt=&zwCbcq=6E8389839392D52FEA31D356C73bA429ac53&83whhjc=&

The data is formatted using the following pattern:

<random_string>=<value1>&<random_string>=<value2>&<random_string>=<value3>...

The first value is a randomly generated 42-character key, which decrypts all other values using the standard Mekotio string encryption algorithm. The encrypted values contain the following system information: 

  • Computer name
  • Username
  • Windows version
  • Mekotio version string “D22”
  • Installed security software (Topaz OFD, Trusteer, Banco Bradesco “Componentes de Segurança”)
  • Installed anti-virus software 

The analyzed sample does not contain a valid URL, which in turn causes the C2 request to fail. As often observed in related banking trojans, this might well be a deprecated functionality not properly cleaned up.

DGA

The rest of the banking trojan’s functionality may use a choice of two different DGA mechanisms to generate a domain and resolve its C2 server. Afterward, the actual Mekotio C2 communication is performed via Windows Sockets.

The first DGA mechanism, when the DGA mode configuration value is set to 1, generates a new domain based on the following data: 

  1. Day of the month
  2. Month of the year
  3. Hardcoded seed “mkro” 

The resulting strings are then concatenated. For September 16th for instance, the result is “1609mkro.”

For a DGA mode set to 2, Mekotio also incorporates the hour of the day within a specific period. The following time frames are mapped to a specific string:

Time is less thanMapped string
07:00:00“AM01”
08:00:00“AM02”
09:00:00“AM03”
10:00:00“AM04”
11:00:00“AM05”
12:00:00“AM06”
13:00:00“PM01”
14:00:00“PM02”
15:00:00“PM03”
16:00:00“PM04”
17:00:00“PM05”
18:00:00“PM06”
Scroll to view full table

The second DGA method uses the provided string to concatenate the following data: 

  1. Day of the week
  2. Day of the month
  3. Timeframe string
  4. Hardcoded seed “mkro” 

As a result, the second DGA method would form the string “MON16AM04mkro” for the date and time “September 16th at 09:42.”

From this point, both methods are the same. They generate an MD5 hash of the concatenated string and use the first 20 characters as a subdomain. The apex domain is retrieved using a list that corresponds to the current day of the month:

01 blogdns[.]com
02 blogdns[.]net
03 blogdns[.]org
04 blogsite[.]org
05 webhop[.]biz
06 webhop[.]info
07 dnsalias[.]com
08 dnsalias[.]net
09 dnsalias[.]org
10 dnsdojo[.]com
11 doesntexist[.]com
12 doesntexist[.]org
13 dontexist[.]com
14 dontexist[.]net
15 dontexist[.]org
16 doomdns[.]com
17 doomdns[.]org
18 dvrdns[.]org
19 dyn-o-saur[.]com
20 dynalias[.]com
21 dynalias[.]net
22 dynalias[.]org
23 dynathome[.]net
24 endofinternet[.]net
25 endofinternet[.]org
26 endoftheinternet[.]org
27 webhop[.]org
28 issmarterthanyou[.]com
29 neat-url[.]com
30 from-ks[.]com
31 dyndns-remote[.]com

For both methods explained above, the final C2 domains are:

3cd99dd0981c76e5a7b9[.]doomdns[.]com
4e342df890dd9fb169e0[.]doomdns[.]com

Mekotio also supports a C2 mode of 0, which is likely meant as a fallback or testing channel, and contains a hardcoded IP address to be used as a C2 server:

177.235.219[.]126

Behavior

Just like most other banking trojans, all specific functionality of Mekotio requires sensitive strings. These are decrypted at runtime to avoid static detections. Mekotio uses an old algorithm which is among the most common ones in LATAM banking trojans, and has been used as such or in slight variations with other bankers including Grandoreiro, Ousaban and Astaroth/Guildma. It has been documented numerous times before, but the following is an example Python implementation:

The main objective of Mekotio or any other LATAM banking trojan is to discover the use of banking applications and attempt to manipulate the apps, web apps or the users themselves to commit banking fraud. In the initial discovery of targeted banking applications, the banking trojans include a list of strings containing the names of common financial institutions and their related apps. This list is constantly compared against any open windows on the infected machine. If there is a match, the banking trojan will inform the operator which exact application is used. Mekotio contains the following list indicating a clear targeting towards banking apps used throughout LATAM:

BancoDaycoval
BancoMercantil
CCBBrasil
agibank
aplicativoita
asaas
atendimentoita
badesul
bancoalfa
bancobmg
bancobradesco
bancobs2
bancodaamazonia
bancodobrasil
bancodoestadodopar
bancodonordeste
bancointer
bancoita
bancomercantil
bancooriginal
bancorendimento
bancotopazio
bancovotorantim
banesedoseujeito
banestes
banrisul
bbcombr
bdmgdigital
binance
bitcointrade
bitfinex
bitpreco
bitstamp
blockchain
bnb.gov.br
bradesco
braziliex
brbbanknet
citibank
civiacontaonline
contasimples
coopcred
cora
credinet
credisis
creditran
credsis
cresolinternetbanking
gerenciadorfinanceiro
homebank
internetbanking.banpara
internetbankingcai
itauaplicativo.exe
logincaixa
loginx
mercadobitcoin
mercadopago
navegadorexclusivo
pagueveloz
picpay
poloniex
primebit
primexbt
pro.bitcointoyou
recargapay
safranetbanking
santand
sicoob
sicredi
sisprime
sisprime
sofisa
stone
tribanco
unicred
uniprime
viacredi
wise

When one of the referenced banking applications is detected, Mekotio can handle specific commands. These commands implement the following functionality: 

  • Lock the applications window to prevent users from exiting
  • Grab input from the window, which might include credentials and tokens
  • Create a fake window imitating the banking application to capture credentials or tokens
  • Display or capture a QR code, which may be used to circumvent multi-factor authentication (MFA)
  • Display a token again to circumvent MFA 

Mekotio contains several images designed to imitate banking applications:

Figure 13: Readily available application images

Figure 14: Readily available application images

Figure 15: Readily available application images

Figure 16: Readily available application images

In addition, Mekotio supports a list of further commands to control the infected machine, including commands to: 

  • Send keystrokes, mouse movement, clicks or scrolls
  • Display windows with custom text
  • Send or receive clipboard data
  • Change C2 modes
  • Beacon/Ping C2
  • Kill process “core.exe” associated with banking security software
  • Kill browsers
  • Maximize browser windows
  • Show taskbar
  • Send system enumeration data
  • Take screenshots
  • Constantly check for windows such as “Task Manager” and “Warning” and immediately close them 

Another interesting functionality exhibited by Mekotio is a feature internally called “Troca sistema de lugar”, which roughly translates to “Change system location” (Portuguese machine translation). Mekotio will send an HTTP GET request to retrieve an encrypted string stored at:

https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my

The string contains a key and encrypted data between hardcoded separators, which reveal a list of further download URLs hosted on Google Firebase:

https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7
https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135

Both URLs host the same 40KB JSON file. Mekotio downloads this file as part of the next stage of the process.

Figure 17: JSON file contents

The JSON file contains two lists, “diretorioraiz” and “nomesdiretorio.” The former contains four system directories, and the latter is what appears to be a large list of folder names related to video games. Although the exact purpose of this content is not clear, Mekotio appears to randomly select and create a folder from the list and copy its archive to the new location. Afterward, it re-establishes persistence through the registry run key.

Conclusion

Hive0147 is just one of dozens of malware distributors enabling the cyber crime ecosystem in LATAM. IBM X-Force is observing an increase in threats targeting the region with newly developed malware such as Picanha, and high volumes of phishing campaigns. Ultimately, the close collaboration between LATAM cyber crime groups should urge defenders to collaborate just as closely. By making full use of threat intelligence to stay informed about the latest threats and best practices, individuals and organizations can mitigate the risks associated with banking trojans and protect themselves from financial loss. To combat these threats and ensure a secure digital future for the region requires strong cooperation between governments, financial institutions, law enforcement and security researchers.

Technical recommendations

IBM X-Force encourages organizations that may be impacted by these campaigns to review the following recommendations: 

  • Exercise caution with emails and PDFs prompting a file download
  • Monitor emails for URLs abusing cloud service domains such as “app.goo.gl” for phishing
  • Monitor registry Run keys used for persistence   
  • HKEY_CURRENT_USER\Environment\UserInitMprLogonScript
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run   
  • Consider blocking pre-calculated DGA domains via DNS
  • Install and configure endpoint security software
  • Update relevant network security monitoring rules
  • Educate staff on the potential threats to the organization 

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:  

US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

Indicators of compromise

IndicatorIndicator TypeContext
  https://yhv6e.app.goo[.]gl/ASmaxYfRW4Eh9j34A  URL  Hive0147 phishing URL
  https://xek99.app.goo[.]gl/g21ytBravSMDQb7H6  URL  Hive0147 phishing URL
  d5800c06fe27cf0c6858ea7e02c8b2d35d7a76a93077f9ca6e41878603c38ef3  SHA256  Picanha Downloader stage 1
  olukv[.]familyrealstore[.]com  Domain  Picanha download domain
  khqry[.]vitapronobisfassolution[.]com[.]br  Domain  Picanha download domain
  izlhu[.]ometodoseroficial[.]com  Domain  Picanha download domain
  jmaah[.]clicktelefoniaempresarial[.]com[.]br  Domain  Picanha download domain
  sohye[.]topracoes[.]com  Domain  Picanha download domain
  tjqty[.]deccsmagazine[.]com[.]br  Domain  Picanha download domain
  ljoea[.]curasdanatureza[.]com  Domain  Picanha download domain
  zpguk[.]cozinhaofertas[.]com  Domain  Picanha download domain
  hzfzx[.]khadicomunicacao[.]com[.]br  Domain  Picanha download domain
  dyicn[.]ofertadsn[.]com[.]br  Domain  Picanha download domain
  39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012  SHA256  Legitimate application
  4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e  SHA256  Picanha stage 2 DLL
  18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b  SHA256  Encrypted Mekotio payload
  6a5db2fe1deabd14864a8d908169e4842c611581bdc3357fa597a8fbbc37baf6  SHA256  Decrypted Mekotio banking trojan
  3cd99dd0981c76e5a7b9[.]doomdns[.]com   Domain  Mekotio example DGA domain
  4e342df890dd9fb169e0[.]doomdns[.]com  Domain  Mekotio example DGA domain
  177.235.219[.]126  IP  Mekotio fallback C2 server
  https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my  URL  Mekotio component download URL
  https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7   URL  Mekotio component download URL
  https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135  URL  Mekotio component download URL
Scroll to view full table

More from Threat Intelligence

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today