Hive0147 serving juicy Picanha with a side of Mekotio

216.73.217.80

Hive0147 serving juicy Picanha with a side of Mekotio

· Published 17/10/2024 09:24 · Modified 17/10/2024 09:51

Essential information

Published: 17/10/2024 09:24
Modified: 17/10/2024 09:51
Tags: 2024-10-17 banker.fn banking downloader malware mekotio picanha trojan
Related entities: 20 observables, 1 intrusion sets (apt), 20 techniques (mitre), 3 malware, 2 others

Description

IBM X-Force observed Hive0147, a highly active threat group in Latin America, distributing a new Golang-based downloader named Picanha to deploy the Mekotio banking trojan. Picanha is a two-stage malware that uses advanced techniques like direct syscalls and supports multiple download URLs, reliable encryption, and sophisticated in-memory execution. Mekotio is a Delphi-based banking trojan that targets various banking applications in Latin America, employing tactics like fake login windows, QR code manipulation, and stealing credentials. The malware establishes persistence, enumerates the system, and resolves its command-and-control servers using a domain generation algorithm (DGA). Hive0147's operations highlight the evolving threats targeting the growing digital landscape in Latin America.