Hive0147 serving juicy Picanha with a side of Mekotio

Oct. 17, 2024, 9:51 a.m.

Tags
malware
trojan
banking
downloader
mekotio
2024-10-17
banker.fn
picanha
External References
Description

IBM X-Force observed Hive0147, a highly active threat group in Latin America, distributing a new Golang-based downloader named Picanha to deploy the Mekotio banking trojan. Picanha is a two-stage malware that uses advanced techniques like direct syscalls and supports multiple download URLs, reliable encryption, and sophisticated in-memory execution. Mekotio is a Delphi-based banking trojan that targets various banking applications in Latin America, employing tactics like fake login windows, QR code manipulation, and stealing credentials. The malware establishes persistence, enumerates the system, and resolves its command-and-control servers using a domain generation algorithm (DGA). Hive0147's operations highlight the evolving threats targeting the growing digital landscape in Latin America.

Date

Published: Oct. 17, 2024, 9:24 a.m.

Created: Oct. 17, 2024, 9:24 a.m.

Modified: Oct. 17, 2024, 9:51 a.m.

Indicators

d5800c06fe27cf0c6858ea7e02c8b2d35d7a76a93077f9ca6e41878603c38ef3

6a5db2fe1deabd14864a8d908169e4842c611581bdc3357fa597a8fbbc37baf6

4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e

39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012

18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b

177.235.219.126

https://api.cacher.io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my

Download all indicators here!

Attack Patterns

Banker.FN

Picanha

Mekotio

Hive0147

T1134.002

T1556.002

T1568

T1059.006

T1573.002

T1564.003

T1564.001

T1218.011

T1059.005

T1555.003

T1497.001

T1547.001

T1071.001

T1070.004

T1562.001

T1573

T1489

T1498

T1027

T1112

Additional Informations

Technology

Finance