Threat Research

“Hive0147: Juicy Picanha & Mekotio – A Security Intelligence Experience”

CTI

Hive0147 is a highly active LATAM threat group focusing on phishing and banking-trojan distribution, recently deploying the Golang-based downloader “Picanha” to deliver Mekotio. Their campaigns span multi-stage infection chains with ZIP payloads, DGA-based C2, and geofenced phishing in Portuguese/Spanish across Brazil and Mexico. #Hive0147 #Picanha #Mekotio #BankerFN #LATAM #Brazil #Mexico

Keypoints

  • Hive0147 is one of the most active phishing threat actors targeting LATAM.
  • The group distributes banking trojans such as Mekotio and Banker.FN.
  • A new downloader named “Picanha” was introduced to facilitate Mekotio infections.
  • Mekotio targets numerous banking apps and uses Domain Generation Algorithms (DGA) for C2 resolution.
  • Phishing campaigns commonly use public-service themes and are conducted in Portuguese or Spanish with geofencing to LATAM countries.
  • Infection chains are multi-stage, beginning with PDF lures or URLs that lead to ZIP file downloads.
  • There is notable collaboration among LATAM cybercrime groups, complicating attribution.

MITRE Techniques

  • [T1566] Phishing – Used email campaigns with themes related to public services to lure victims. ‘Utilized email campaigns with themes related to public services to lure victims.’
  • [T1071] Malware Distribution – Used cloud services for hosting malicious payloads. ‘Used cloud services for hosting malicious payloads.’
  • [T1003] Credential Dumping – Exfiltrated sensitive information, including banking credentials. ‘Exfiltrated sensitive information, including banking credentials.’
  • [T1071] Command and Control – Utilized DGA for establishing communication with C2 servers. ‘Utilized DGA for establishing communication with C2 servers.’
  • [T1203] Execution – Executed malicious payloads after users downloaded ZIP files. ‘Executed malicious payloads after users downloaded ZIP files.’

Indicators of Compromise

  • [URL] Hive0147 phishing URL – https://yhv6e.app.goo[.]gl/ASmaxYfRW4Eh9j34A, https://xek99.app.goo[.]gl/g21ytBravSMDQb7H6
  • [SHA256] Picanha Stage 1 – 39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012
  • [Domain] Picanha download domains – olukv[.]familyrealstore[.]com, khqry[.]vitapronobisfassolution[.]com[.]br, and 2 more domains
  • [SHA256] Picanha stage 2 DLL – 4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e
  • [SHA256] Encrypted Mekotio payload – 18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b
  • [SHA256] Decrypted Mekotio payload – 6a5db2fe1deabd14864a8d908169e4842c611581bdc3357fa597a8fbbc37baf6
  • [Domain] Mekotio DGA example domains – 3cd99dd0981c76e5a7b9[.]doomdns[.]com, 4e342df890dd9fb169e0[.]doomdns[.]com
  • [IP] Mekotio fallback C2 – 177.235.219[.]126
  • [URL] Mekotio component download URL – https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my
  • [URL] Mekotio component download URLs – https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7, https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135

Read more: https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint