Follow on X RSS Feed
Malware

Hive0147’s Double Trouble Picanha and Mekotio Attack

Cybersec Sentinel

2 min read
Hive0147’s Double Trouble Picanha and Mekotio Attack

Threat Group: Hive0147
Threat Type: Banking Trojan/Downloader
Exploited Vulnerabilities: Social engineering, credential theft, phishing
Malware Used: Picanha (Downloader), Mekotio (Banking Trojan)
Threat Score: High (8.5/10) due to the advanced nature of the malware and its evolving techniques targeting the Latin American financial sector
Last Threat Observation: October 17, 2024

Overview:

Hive0147, an active threat actor in Latin America, has been observed distributing a new Golang-based downloader named Picanha. This downloader serves as a delivery mechanism for the Mekotio banking trojan. The two-stage malware, Picanha, uses advanced techniques like direct syscalls, reliable encryption, and in-memory execution, making it challenging to detect. Mekotio is known for targeting banking applications, often manipulating QR codes and fake login screens to steal sensitive credentials. The malware’s use of domain generation algorithms (DGA) and persistence mechanisms underlines the group’s growing sophistication in targeting the financial sector in Latin America.

Key Details:

  • Delivery Method: Phishing emails containing malicious attachments or download links
  • Target: Financial institutions and users across Latin America
  • Functions:
    1. Picanha downloads and executes Mekotio
    2. Establishes persistence by modifying system registries
    3. Steals credentials through fake login screens and QR code manipulation
    4. Uses DGA for dynamic resolution of C2 servers
    5. Employs in-memory execution to avoid detection by antivirus software

Attack Vectors:

Hive0147 typically gains access to systems via phishing emails, which either contain malicious attachments or redirect users to websites that trigger the Picanha downloader. Once executed, Picanha downloads the Mekotio banking trojan, which proceeds to target the victim’s banking applications. Mekotio employs tactics like presenting fake login screens and stealing login credentials to compromise financial accounts.

Known Indicators of Compromise (IoCs):

File Hashes:

  • MD5:
    • 067daf75a59388eb63d56ad1474eb73f
    • 0a5eb75d76c319da5f902b76c843a3c7
  • SHA1:
    • b2c8dd2194756001223568f6d1ff3e36f121d7d7
  • SHA256:
    • 18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b
    • 39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012
    • 4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e
    • 6a5db2fe1deabd14864a8d908169e4842c611581bdc3357fa597a8fbbc37baf6
    • d5800c06fe27cf0c6858ea7e02c8b2d35d7a76a93077f9ca6e41878603c38ef3

IP Addresses:

  • 177[.]235[.]219[.]126

URLs:

  • hxxps://api[.]cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my

Hostnames/Domains:

  • 3cd99dd0981c76e5a7b9[.]doomdns[.]com
  • 4e342df890dd9fb169e0[.]doomdns[.]com
  • api[.]cacher[.]io
  • dyicn[.]ofertadsn[.]com[.]br
  • hzfzx[.]khadicomunicacao[.]com[.]br
  • izlhu[.]ometodoseroficial[.]com
  • jmaah[.]clicktelefoniaempresarial[.]com[.]br
  • khqry[.]vitapronobisfassolution[.]com[.]br
  • ljoea[.]curasdanatureza[.]com
  • olukv[.]familyrealstore[.]com
  • sohye[.]topracoes[.]com
  • tjqty[.]deccsmagazine[.]com[.]br
  • zpguk[.]cozinhaofertas[.]com

Mitigation and Prevention:

  • User Awareness: Provide regular training on recognizing phishing attempts and suspicious email behavior.
  • Endpoint Protection: Deploy advanced endpoint detection and response (EDR) systems to identify in-memory malware like Picanha.
  • Credential Protection: Enforce multi-factor authentication (MFA) to secure banking credentials and reduce the risk of unauthorized access.
  • Network Segmentation: Isolate critical systems to limit lateral movement in the event of a compromise.
  • Patch Management: Ensure all systems are updated with the latest security patches, particularly for software interacting with financial applications.

Conclusion:

Hive0147’s use of sophisticated techniques through the Picanha and Mekotio malware families represents a growing threat to financial institutions, particularly in Latin America. Their continued evolution and use of evasive techniques necessitate vigilance and robust security measures. Organizations, particularly in the finance sector, must strengthen defenses and remain proactive in detecting and mitigating such threats.

Sources:

  1. AlienVault: Hive0147 serving juicy Picanha with a side of Mekotio
  2. Security Intelligence - Hive0147 serving juicy Picanha with a side of Mekotio