Hive0147 serving juicy Picanha with a side of Mekotio

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <link rel="shortcut icon" type="image/x-icon" href="https://securityintelligence.com/wp-content/themes/sapphire/images/favicon.ico" sizes="32x32" /> <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1">  <title>Hive0147 serving juicy Picanha with a side of Mekotio - Security Intelligence</title>   <meta name="theme-color" content="#000000">  <meta name="referrer" content="no-referrer-when-downgrade"> <script src="https://1.www.s81c.com/common/stats/ibm-common.js" type="text/javascript" async="async"></script>   <script async src="https://cdn.ampproject.org/v0.js"></script> <script async custom-element="amp-list" src="https://cdn.ampproject.org/v0/amp-list-0.1.js"></script> <script async custom-template="amp-mustache" src="https://cdn.ampproject.org/v0/amp-mustache-0.2.js"></script> <script async custom-element="amp-accordion" src="https://cdn.ampproject.org/v0/amp-accordion-0.1.js"></script> <script custom-element="amp-animation" src="https://cdn.ampproject.org/v0/amp-animation-0.1.js" async></script> <script custom-element="amp-position-observer" src="https://cdn.ampproject.org/v0/amp-position-observer-0.1.js" async></script> <script async custom-element="amp-bind" src="https://cdn.ampproject.org/v0/amp-bind-0.1.js"></script> <script async custom-element="amp-autocomplete" src="https://cdn.ampproject.org/v0/amp-autocomplete-0.1.js"></script> <script async custom-element="amp-social-share" src="https://cdn.ampproject.org/v0/amp-social-share-0.1.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.35.0/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/card-section-simple.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/card.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v2.11.0/image.min.js"></script> <script async custom-element="amp-lightbox-gallery" src="https://cdn.ampproject.org/v0/amp-lightbox-gallery-0.1.js"></script> <script src="https://unpkg.com/swiper/swiper-bundle.min.js"></script> <script async custom-element="amp-video" src="https://cdn.ampproject.org/v0/amp-video-0.1.js"></script> <script async custom-element="amp-youtube" src="https://cdn.ampproject.org/v0/amp-youtube-0.1.js"></script> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-300x158.jpeg.webp" media="(max-width: 300px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets-630x330.jpeg.webp" media="(max-width: 1200px) and (min-width: 301px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg.webp" media="(max-width: 2400px) and (min-width: 631px)"> <link rel="preload" as="image" href="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Close-up-of-a-smartphone-in-a-male-hands.-The-concept-of-online-messaging-social-media-communication-browsing-the-internet-websites-reading-news.-Wireless-technologies-gadgets.jpeg.webp" media="(max-width: 2400px) and (min-width: 1201px)">    <script> // Digital Registry digitalData = { "page": { "category": { "primaryCategory": "Threat Intelligence" }, "pageInfo": { "language": "en-US", "country": "US", "version": "custom", "effectiveDate": "2024-10-16", "publishDate": "2024-10-16", "optimizely": { "enabled": "false", }, "ibm": { "contentDelivery": "WordPress", "contentProducer": "Hand coded", "owner": "", "siteID": "SECURITYINTELLIGENCE", "type": "Xforce", } } } } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js function sendClickTag(section, feature, destination) { console.log(section + " " + feature) var config = { type: 'ELEMENT', primaryCategory: section, // e_a1 - Element Category eventName: feature, // e_a2 - Element Name targetURL: destination, // e_a7 - Element Attribute: ibmEvTarget }; ibmStats.event(config); } // Custom Click Tagging // Collect and send clicks not detectable by ida_stats.js // function sendClickConversion(feature, title) { // var config = { // type : 'pageclick', // primaryCategory : 'PAGE CLICK', // eventCategoryGroup : "TIMELINE - SECURITY INTELLIGENCE", // eventName : feature, // targetTitle : title // }; // ibmStats.event(config); // } // Custom Link Event // Add clicktag event on every link inside the element function tagAllLinks(element, section, feature) { var element = document.querySelectorAll(element); if (typeof(element) != 'undefined' && element != null) { for (var i = 0; i < element.length; i++) { var elements = element[i].querySelectorAll("a:not(.btn)"); for (var o = 0; o < elements.length; o++) { if (elements[o].getAttribute('listener') !== 'true') { var destination = elements[o].getAttribute('href'); elements[o].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag(section, feature, this.getAttribute('href')); this.setAttribute('listener', 'false'); } }, false); elements[o].setAttribute('listener', 'true'); } } } } } window.onload = function() { // Call to action click tag var ctaButton = document.querySelectorAll(".single__content a"); if (typeof(ctaButton) != 'undefined' && ctaButton != null && ctaButton.length !== 0) { for (var i = 0; i < ctaButton.length; i++) { ctaButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "CALL TO ACTION"); this.setAttribute('listener', 'false'); } }, false); ctaButton[i].setAttribute('listener', 'true'); } } // Read more click tag var readButton = document.querySelectorAll(".continue-reading button"); if (typeof(readButton) != 'undefined' && readButton != null && readButton.length !== 0) { for (var i = 0; i < readButton.length; i++) { readButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { sendClickTag("BODY", "READ-MORE"); this.setAttribute('listener', 'false'); } }, false); readButton[i].setAttribute('listener', 'true'); } } // LISTICLES tag - Arrows //left arrow var leftArrow = document.getElementById("prev"); if (typeof(leftArrow) != 'undefined' && leftArrow != null) { //for (var i = 0; i < leftArrow.length; i++) { leftArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && leftArrow.id == "prev") { sendClickTag("BODY", "LISTICLE-LEFT-ARROW"); this.setAttribute('listener', 'false'); } }, false); leftArrow.setAttribute('listener', 'true'); //} } //right arrow var rightArrow = document.getElementById("next"); if (typeof(rightArrow) != 'undefined' && rightArrow != null) { //for (var i = 0; i < rightArrow.length; i++) { rightArrow.addEventListener('click', function() { if (this.getAttribute('listener') === 'true' && rightArrow.id == "next") { sendClickTag("BODY", "LISTICLE-RIGHT-ARROW"); this.setAttribute('listener', 'false'); } }, false); rightArrow.setAttribute('listener', 'true'); //} } // LISTICLES tag - numbers var listicleTopButton = document.querySelectorAll(".listicle__pagination__numbers"); if (typeof(listicleTopButton) != 'undefined' && listicleTopButton != null && listicleTopButton.length !== 0) { for (var i = 0; i < listicleTopButton.length; i++) { var currentSlide = 1; listicleTopButton[i].addEventListener('click', function() { if (this.getAttribute('listener') === 'true') { currentSlide++; var total = i; // var clickedSlides=currentSlide/2; // console.log(clickedSlides.toFixed()); //I'm removing 2 because 2 arrows on the listicle are unclickable, but present on the DOM // clickableArrows = i-2; // clickableArrows = i-1; // I'm deviding by 2 because on each slide we have 2 arrows, so we were actually sendind the double of tags // clickableArrows= clickableArrows/2; // console.log(i); // clickableArrows.toFixed(); if (currentSlide <= total) { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-SLIDE" + currentSlide); this.setAttribute('listener', 'false'); } else { sendClickTag("PAGE CLICK", "LISTICLE-NAVIGATION-END"); this.setAttribute('listener', 'false'); } } }, false); listicleTopButton[i].setAttribute('listener', 'true'); } } // // Timeline box click tag // var boxButton = document.querySelectorAll(".timeline__content .box"); // if (typeof(boxButton) != 'undefined' && boxButton != null && boxButton.length !== 0) { // for (var i = 0; i < boxButton.length; i++) { // boxButton[i].addEventListener('click', function(){ // if (this.getAttribute('listener') === 'true') { // sendClickConversion("DETAILED VIEW", this.getAttribute('data-title')); // this.setAttribute('listener', 'false'); // } // }, false); // boxButton[i].setAttribute('listener', 'true'); // } // } }; </script>  <script defer src="https://1.www.s81c.com/common/stats/ida_stats.js" type="text/javascript"></script>  <style amp-boilerplate> body { -webkit-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -moz-animation: -amp-start 8s steps(1, end) 0s 1 normal both; -ms-animation: -amp-start 8s steps(1, end) 0s 1 normal both; animation: -amp-start 8s steps(1, end) 0s 1 normal both } @-webkit-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-moz-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-ms-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @-o-keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } @keyframes -amp-start { from { visibility: hidden } to { visibility: visible } } </style><noscript> <style amp-boilerplate> body { -webkit-animation: none; -moz-animation: none; -ms-animation: none; animation: none } </style> </noscript> <link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/modules.css?v=1715191630">  <meta name='robots' content='max-image-preview:large' /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/securityintelligence.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.6.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://securityintelligence.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='taxonomy-image-plugin-public-css' href='https://securityintelligence.com/wp-content/plugins/taxonomy-images/css/style.css?ver=0.9.6' type='text/css' media='screen' /> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/themes/sapphire/app/javascript/si-theme-cookie.js?ver=6.6.2" id="si-cookie-consent-js"></script> <link rel="https://api.w.org/" href="https://securityintelligence.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securityintelligence.com/wp-json/wp/v2/xforce/448263" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securityintelligence.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.6.2" /> <link rel='shortlink' href='https://securityintelligence.com/?p=448263' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fx-force%2Fhive0147-serving-juicy-picanha-with-side-of-mekotio%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securityintelligence.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurityintelligence.com%2Fx-force%2Fhive0147-serving-juicy-picanha-with-side-of-mekotio%2F&format=xml" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb-80x80.png" sizes="32x32" /> <link rel="icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <meta name="msapplication-TileImage" content="https://securityintelligence.com/wp-content/uploads/2016/04/SI_primary_rgb.png" /> <style amp-custom>@import url('https://fonts.googleapis.com/css?family=IBM+Plex+Sans:200,300,400,500,600');@import url('https://fonts.googleapis.com/css?family=IBM+Plex+Sans+Condensed:300,400,500,600,700');@import url('https://fonts.googleapis.com/css2?family=IBM+Plex+Serif&display=swap')</style><link rel="stylesheet" href="https://unpkg.com/swiper/swiper-bundle.min.css"><link rel="stylesheet" href="https://securityintelligence.com/wp-content/themes/sapphire/minifications/single.css?v=1722279696">   <meta name="description" content="IBM X-Force has been tracking and monitoring Hive0147, one of Latin America's most active threat groups. Read more on the threat group's latest activities."/> <meta name="robots" content="max-snippet:-1, max-image-preview:large, max-video-preview:-1"/> <link rel="canonical" href="https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Hive0147 serving juicy Picanha with a side of Mekotio - Security Intelligence" /> <meta property="og:description" content="IBM X-Force has been tracking and monitoring Hive0147, one of Latin America's most active threat groups. Read more on the threat group's latest activities." /> <meta property="og:url" content="https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/" /> <meta property="og:site_name" content="Security Intelligence" /> <meta property="article:tag" content="IBM X-Force Research" /> <meta property="article:tag" content="Latin America" /> <meta property="article:tag" content="Malware" /> <meta property="article:tag" content="Phishing" /> <meta property="article:tag" content="Threat Intelligence" /> <meta property="article:tag" content="X-Force" /> <meta property="article:section" content="Threat Intelligence" /> <meta property="fb:app_id" content="3703311399714818" /> <meta property="og:image" content="https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code.jpeg" /> <meta property="og:image:secure_url" content="https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code.jpeg" /> <meta property="og:image:width" content="1200" /> <meta property="og:image:height" content="630" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:description" content="IBM X-Force has been tracking and monitoring Hive0147, one of Latin America's most active threat groups. Read more on the threat group's latest activities." /> <meta name="twitter:title" content="Hive0147 serving juicy Picanha with a side of Mekotio - Security Intelligence" /> <meta name="twitter:image" content="https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code.jpeg" /> <script type='application/ld+json' class='yoast-schema-graph yoast-schema-graph--main'>{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://securityintelligence.com/#website","url":"https://securityintelligence.com/","name":"Security Intelligence","inLanguage":"en-US","description":"Analysis and Insight for Information Security Professionals","potentialAction":{"@type":"SearchAction","target":"https://securityintelligence.com/?s={search_term_string}","query-input":"required name=search_term_string"}},{"@type":"ImageObject","@id":"https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/#primaryimage","inLanguage":"en-US","url":"https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code.jpeg","width":1200,"height":630,"caption":"Closeup on a laptop screen displaying green code in a dimly red-lit room"},{"@type":"WebPage","@id":"https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/#webpage","url":"https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/","name":"Hive0147 serving juicy Picanha with a side of Mekotio - Security Intelligence","isPartOf":{"@id":"https://securityintelligence.com/#website"},"inLanguage":"en-US","primaryImageOfPage":{"@id":"https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/#primaryimage"},"datePublished":"2024-10-16T17:00:00+00:00","dateModified":"2024-10-18T06:59:39+00:00","description":"IBM X-Force has been tracking and monitoring Hive0147, one of Latin America's most active threat groups. Read more on the threat group's latest activities."}]}</script>  </head> <body class="si_body" > <nav id="navigation" class="navigation navigation--homepage " aria-label="Security Intelligence"> <div class="container"> <div class="row">  <div class="navigation__brand"> <a href="https://securityintelligence.com" title="Security Intelligence" tabindex="1"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence Logo"> <div fallback> <h6>Security Intelligence</h6> </div> </amp-img> </a> </div>  <div class="navigation__menu" onmouseleave="delete localStorage['megamenu-status']"> <a tabindex="2" id="nav-news" href="/news/" class="navigation__button " data-menu="megamenu__news" onclick="localStorage['megamenu-status'] = 'first-interaction';">News</a> <a tabindex="4" id="nav-topics" href="/category/topics/" class="navigation__button " data-menu="megamenu__topics" onclick="localStorage['megamenu-status'] = 'first-interaction';">Topics</a> <a tabindex="5" id="nav-x-force" href="/x-force/" class="navigation__button " data-menu="megamenu__threat" onclick="localStorage['megamenu-status'] = 'first-interaction';">X-Force</a> <a tabindex="6" id="nav-media" href="/media/" class="navigation__button " data-menu="megamenu__podcast" onclick="localStorage['megamenu-status'] = 'first-interaction';">Podcast</a> <button aria-label="search Button" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="-1" type="button"> <amp-img tabindex="7" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Click to open the search bar"></amp-img> </button> </div>  <div id="search-tablet" class="navigation__menu navigation__menu--tablet" tabindex="-1"> <button type="button" class="navigation__button " data-menu="megamenu__news">News</button> <button type="button" class="navigation__button " data-menu="megamenu__topics" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.show, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Topics</button> <button type="button" class="navigation__button " data-menu="megamenu__threat" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.show, megamenu__podcast.hide, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Threat Research</button> <button type="button" class="navigation__button " data-menu="megamenu__podcast" on="tap:megamenu__news.hide, megamenu__series.hide, megamenu__topics.hide, megamenu__industries.hide, megamenu__threat.hide, megamenu__podcast.show, megamenu__events.hide, megamenu__mask.show" role="link" tabindex="0">Podcast</button> <button type="button" aria-labelledby="search-tablet" class="navigation__search" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> </div>  <form id="search" class="search " method="GET" action="/" target="_top" tabindex="-1"> <amp-autocomplete filter="prefix" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/suggestions.json" suggest-first submit-on-enter on="select:search.submit" tabindex="-1"> <input id="search__input" tabindex="-1" type="text" name="s" autocomplete="on" placeholder="What would you like to search for?" aria-label="Search" oninput="validateInput(this)" required> </amp-autocomplete> <button tabindex="-1" value="submit" type="submit" class="search__submit" aria-label="Click to search"> <amp-img width="20" height="20" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> <span>Search</span> </button> <button tabindex="-1" value="reset" class="search__close" type="reset" aria-labelledby="search" on="tap:search.toggleClass(class='megamenu__open')" role="link"> <amp-img width="14" height="14" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close"></amp-img> </button> </form>  <div id="navigation__mega">  <section id="megamenu__news" class="megamenu" data-menu="nav-news" on="tap:megamenu__news.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_news" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/news/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/news.svg" alt="News"></amp-img> <span>View All News</span> </a> </div> </template> </amp-list> </section>   <section id="megamenu__topics" class="megamenu" data-menu="nav-topics" on="tap: megamenu__topics.show, megamenu__mask.show" role="link" tabindex="0"> <div class="row">  <div class="megamenu__list"> <a href="/category/app-security/">Application Security</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/endpoint/">Endpoint</a> </div> <div class="megamenu__list"> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/network/">Network</a> <a href="/category/risk-management/">Risk Management</a> </div> <div class="megamenu__list"> <a href="/category/security-intelligence-analytics/">Intelligence & Analytics</a> <a href="/category/security-services/">Security Services</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/topics/zero-trust/">Zero Trust</a> <a href="/infographic-zero-trust-policy/">Infographic: Zero trust policy</a> <a href="/timeline/state-local-government-cyberattacks/">Timeline: Local Government Cyberattacks</a> </div> <div class="megamenu__list"> <span>Industries</span> <a href="/category/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div>  <a href="/category/topics/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/topics.svg" alt="Topics"></amp-img> <span>View All Topics</span> </a> </div> </section>  <section id="megamenu__threat" class="megamenu" data-menu="nav-x-force" on="tap:megamenu__threat.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&category=x-force" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/x-force/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/threat-research.svg" alt="Threat Research"></amp-img> <span>View More From X-Force</span> </a> </div> </template> </amp-list> </section>  <section id="megamenu__podcast" class="megamenu" data-menu="nav-media" on="tap:megamenu__podcast.show, megamenu__mask.show" role="link" tabindex="0"> <amp-list layout="responsive" width="1440" height="248" credentials="include" src="https://securityintelligence.com/wp-content/themes/sapphire/app/jsons/posts.php?quantity=4&type=ibm_media" binding="no"> <template type="amp-mustache"> <div class="row">  {{#articles}} <article class="megamenu__article"> <a href="{{permalink}}" class="megamenu__link"> <div class="megamenu__image"> <amp-img width="630" height="330" layout="responsive" src="{{image}}" alt="{{image_alt}}"></amp-img> </div> <h3 class="megamenu__title">{{title}}</h3> </a> </article> {{/articles}}  <a href="/media/" class="megamenu__more"> <amp-img width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/post-type-icons/podcast.svg" alt="Podcast"></amp-img> <span>View All Episodes</span> </a> </div> </template> </amp-list> </section> </div>  <div id="megamenu__mask" class="navigation__mask " hidden></div>  <script type="text/javascript"> function validateInput(inputElement) { // Regular expression to allow only letters (both uppercase and lowercase) and numbers var regex = /^[A-Za-z0-9 ]*$/; // Get the current value of the input field var inputValue = inputElement.value; // Check if the input value matches the allowed pattern if (!regex.test(inputValue)) { // If the input contains special characters, remove them inputElement.value = inputValue.replace(/[^A-Za-z0-9 ]/g, ''); } } // DESKTOP MENU LINKS - HOVER ACTION var elementList = document.querySelectorAll('.navigation__menu .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); } }); elementList[i].addEventListener('mouseleave', function() { if (localStorage['megamenu-status'] !== 'first-interaction') { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); mega.classList.remove('amp-open'); menu_elements.classList.remove('amp-open'); mask.classList.remove('amp-open'); } }); } // TABLET MENU LINKS - CLICK ACTION var elementList = document.querySelectorAll('.navigation__menu--tablet .navigation__button'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('click', function() { var mega = document.getElementById("navigation__mega"); var menu_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); menu_elements.click(); mega.classList.add('amp-open'); menu_elements.classList.add('amp-open'); mask.classList.add('amp-open'); }); } // OPPENED MEGAMENU - HOVER ACTION var elementList = document.querySelectorAll('.megamenu'); for (i = 0; i < elementList.length; i++) { elementList[i].addEventListener('mouseenter', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.add('amp-open'); mega.classList.add('amp-open'); mask.classList.add('amp-open'); nav_elements.classList.add('amp-open'); }); elementList[i].addEventListener('mouseleave', function() { var mega = document.getElementById("navigation__mega"); var nav_elements = document.getElementById(this.dataset.menu); var mask = document.getElementById("megamenu__mask"); this.classList.remove('amp-open'); mega.classList.remove('amp-open'); mask.classList.remove('amp-open'); nav_elements.classList.remove('amp-open'); }); } </script>  <button type="button" aria-labelledby="search-tablet" class="search__mobile__icon" onclick="document.getElementById('search__input').focus()" on="tap:search.toggleClass(class='megamenu__open')" role="link" tabindex="0"> <amp-img width="18" height="18" layout="fixed" src="https://securityintelligence.com/wp-content/themes/sapphire/images/search.svg" alt="Search"></amp-img> </button> <div class="navigation__mobile-icon" on="tap:navigation__mobile.toggleVisibility, navigation__hamburguer.toggleVisibility, navigation__close.toggleVisibility " role="link" tabindex="0"> <amp-img id="navigation__hamburguer" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/hamburguer.svg" alt="Menu"></amp-img> <amp-img id="navigation__close" width="24" height="24" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/close.svg" alt="Close" hidden></amp-img> </div>  <section id="navigation__mobile" class="navigation__mobile-list" hidden> <div class="container"> <a href="/news/">News</a>  <amp-accordion disable-session-states>  <section class="navigation__accordion"> <h2>Topics</h2> <div class="navigation__accordion-content"> <div class="row"> <a href="/category/topics/">All Categories</a> <a href="/category/app-security/">Application Security</a> <a href="/category/identity-access/">Identity & Access</a> <a href="/category/artificial-intelligence/">Artificial Intelligence</a> <a href="/category/incident-response/">Incident Response</a> <a href="/category/ciso-corner/">CISO</a> <a href="/category/mainframe/">Mainframe</a> <a href="/category/cloud-protection/">Cloud Security</a> <a href="/category/mobile-security-podcasts/">Mobile Security</a> <a href="/category/data-protection/">Data Protection</a> <a href="/category/network/">Network</a> <a href="/category/endpoint/">Endpoint</a> <a href="/category/risk-management/">Risk Management</a> <a href="/category/fraud-protection/">Fraud Protection</a> <a href="/category/threat-hunting/">Threat Hunting</a> <a href="/category/security-services/">Security Services</a> <a href="/category/security-intelligence-analytics/">Security Intelligence & Analytics</a> </div> <div class="row"> <span>Industries</span> <a href="/category/industries/banking-financial-services-industry/">Banking & Finance</a> <a href="/category/energy-utility-industry/">Energy & Utility</a> <a href="/category/government/">Government</a> <a href="/category/health-care-industry/">Healthcare</a> </div> </div> </section> </amp-accordion> <a href="/x-force/">X-Force</a> <a href="/media/">Podcast</a> </section> </div> </div> </nav>  <div class="scroll-to-top ">  <div id="top-viewer" class="scroll-to-top__viewer"></div>  <div class="sticky" style="height: 100%;"> <button id="scrollToTopButton" on="tap:top-viewer.scrollTo(duration=200, position=bottom)" class="tap_target "> <div class="scroll-to-top__button"> <amp-img width="12" height="16" layout="fixed" alt="Back-to-top" src="https://securityintelligence.com/wp-content/themes/sapphire/images/scroll-to-top.svg"></amp-img> </div> </button> </div>  <amp-animation id="showAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "1", "visibility": "visible" }] }] } </script> </amp-animation> <amp-animation id="hideAnim" layout="nodisplay"> <script type="application/json"> { "duration": "200ms", "fill": "both", "iterations": "1", "direction": "alternate", "animations": [{ "selector": "#scrollToTopButton", "keyframes": [{ "opacity": "0", "visibility": "hidden" }] }] } </script> </amp-animation> </div>  <amp-position-observer target="top-viewer" intersection-ratios="0" on="enter:hideAnim.start; exit:showAnim.start" layout="nodisplay"></amp-position-observer>  <script id="post-schema" type="application/ld+json"> { "@context": "http://schema.org", "@type": "Article", "headline": "Hive0147 serving juicy Picanha with a side of Mekotio", "mainEntityOfPage": "https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/", "author": { "@type": "Person", "name": "Golo Mühr" }, "datePublished": "2024-10-16T13:00:00-04:00", "dateModified": "2024-10-18T02:59:39-04:00", "publisher": { "@type": "Organization", "name": "Security Intelligence", "logo":{ "@type": "ImageObject", "url": "https://securityintelligence.com/wp-content/themes/security-intelligence/assets/img/logo.png" } }, "image": [ "https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg" ], "articleBody": " <p>IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution.</p>   <p>After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147 also distributes other banking trojans, such as Banker.FN also known as Coyote, and is likely affiliated with several other Latin American cyber crime groups operating different downloaders and banking trojans to enable banking fraud.</p>   <h2 class="wp-block-heading">Key findings</h2>   <ul class="wp-block-list"> <li>Hive0147 is one of the most active URL-based phishing threat actors targeting LATAM</li>   <li>Malware distributed by Hive0147 has led to a variety of banking trojans, including Banker.FN and Mekotio</li>   <li>X-Force discovered a new two-stage downloader named Picanha, which was used to facilitate a Mekotio infection</li>   <li>The Mekotio variant observed by X-Force targets a multitude of banking applications and uses DGA to resolve its C2 servers</li> </ul>   <h2 class="wp-block-heading">LATAM digital landscape</h2>   <p>LATAM has increasingly become a highly targeted cyber threat landscape, specifically in Brazil and Mexico, where economies and industries show strong development. Evolving digital landscapes can be seen expanding into government services and financial technologies, including mobile banking. The <a href="https://paymentscmi.com/wp-content/uploads/2023/08/2023_PCMI_Blueprint_Standard_August-2023.pdf">2023 Latin America E-commerce Blueprint</a> found that e-commerce will steadily grow by at least 20% annually due to improved technology, innovations from online platforms and the adoption of alternative payment methods. In 2023, 71% of adults in the region had a financial account, and it is estimated that between 2023 and 2026, 33 million new users will use the internet for the first time. E-commerce in LATAM, including retail and other sectors like tax payments, fees and licenses, bill payments and government services, has dominated with 70% of e-commerce transactions conducted over mobile channels since 2020. Conducting transactions over mobile channels gives users the flexibility to store user credentials in digital wallets and initiate real-time bank transfers. For example, Brazil's 'Pix' payment platform accounts for 16% of the region's e-commerce transaction volume. By 2026, it is estimated that Pix growth will account for 38% of online sales. With increasing digital developments in LATAM, specifically with e-commerce platforms, IBM X-Force assesses malware distributors such as Hive0147 are taking advantage of the growth. Malware distributors operating within LATAM are increasing <a href="https://www.ibm.com/topics/phishing">phishing</a> campaign delivery in hopes of obtaining credentials, specifically banking credentials, for monetary gain. <a href="https://www.ibm.com/reports/threat-intelligence?utm_content=SRCWW&p1=Search&p4=43700079592066625&p5=e&p9=58700008676650552&gclid=EAIaIQobChMI06WYlqS2iAMVKy7UAR3mSxgXEAAYASAAEgK48fD_BwE&gclsrc=aw.ds">Throughout 2023</a>, LATAM remained a highly impacted region, accounting for 12% of <a href="https://www.ibm.com/topics/incident-response">incident response</a> cases supported by IBM X-Force. In 2023, entities and users in Brazil were most frequently targeted, making up 68% of all cases that IBM X-Force responded to in LATAM, while users in Colombia accounted for 17%, and users in Chile 8%.</p>   <p>IBM X-Force tracks several threat actors operating in LATAM, although attribution and clustering can be difficult due to overlapping tactics, techniques and procedures (TTPs). Phishing campaigns within the LATAM region typically contain themes related to public service, government, taxes and invoices, with the email bodies including either Portuguese or Spanish language content. Often, infection chains consist of multiple stages, starting with either PDF lures or URLs. <a href="https://www.ibm.com/blog/x-force-cloud-threat-landscape/">Cloud-hosted</a> payloads commonly observed in campaigns use platforms such as Azure blob (blob.core.windows.net), Azure (cloudapp.azure.com), Firebase dynamic links, GoDaddy (host.secureserver.net) and Google Cloud Run (app.goo.gl). When users click on one of the provided links, they are redirected and initiate the download of a ZIP archive file. Depending on the campaign, X-Force notes the ZIP files might contain one of the following file types: MSI, EXE, CMD, HTA or VBS. Executing the ZIP file starts the infection chain, with some distributors being partial to specific malware such as BlotchyQuasar (Hive0129), Guildma and some Grandoreiro operators, while others use different payloads and a variety of forks. Frequently, email campaigns containing redirect links are geofenced, requiring the user to access the links within a specific LATAM country (most commonly Brazil, Mexico or Colombia).</p>   <p>Hive0147 is one of the most active banking malware distributors IBM X-Force observes that currently operates in LATAM. IBM X-Force has been tracking a steady influx of campaigns grouped under Hive0147 delivering the banking trojan Banker.FN, as well as a new Golang-based downloader we've named "Picanha," deploying the well-known Mekotio banking trojan. <strong> </strong>Although we do not attribute this new downloader to Hive0147 specifically, IBM X-Force assesses that LATAM distributors operate under a similar model as other cyber crime groups, with affiliate groups specializing in spamming, malware staging or crypting, and banking trojan operations and monetization.</p>   <h2 class="wp-block-heading">Hive0147 distribution activity</h2>   <p>Most of Hive0147's emails are sent from French IP addresses, although there has been a recent shift to emails almost exclusively being sent from Dutch IP addresses. Shifting the location of sender IP addresses may be an attempt to evade detection and bypass security, prevent IP blocking or make attribution difficult. Interestingly, of the campaign activity observed since January, X-Force found that about half of the emails have a successful DomainKey Identified Mail (DKIM) verification. DKIM is a method in which signatures are used to verify the authenticity of an email message to ensure that it did not change during transit. Emails with successful DKIM checks may have a higher likelihood of not being flagged as spam. For Hive0147, failed DKIM checks may have been a misconfiguration on the actor's part or the result of using different services or infrastructures that do not support DKIM.</p>   <p>During phases of activity, IBM X-Force has observed Hive0147 exhibit a significantly higher volume of activity compared to other LATAM malware distributors. Since January 2024, X-Force notes that activity attributed to Hive0147 occurs on all days during the week; however, activity mainly occurs Monday to Thursday, with 80% of campaign emails sent on these days. Interestingly, from April to July, we saw an almost complete stop in activity, which may be the result of higher-than-normal domestic travel. Brazil's travel industry is growing rapidly, which can be seen in the increase in both domestic and international air traffic. The National Civil Aviation Agency (ANAC) reported a significant increase in flight passenger traffic of <a href="https://www.riotimesonline.com/passenger-volume-in-brazilian-airports-increases-by-4-4-in-first-half-of-2024/">4.4%</a> between January and June 2024, recording 56.2 million passengers. In addition, the International Air Transport Association (IATA) <a href="https://www.travelandtourworld.com/news/article/how-brazil-is-beating-us-in-the-global-travel-industry-boom/">reported</a> that in July 2024, domestic tourism in Brazil grew by a substantial 8.9%.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-1.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-1.png" alt="" class="wp-image-448270"/></a></figure>   <p><em>Figure 1: Hive0147 active campaign days</em></p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-2.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-2.png" alt="" class="wp-image-448271"/></a></figure>   <p><em>Figure 2: Hive0147 top six IP usage by country</em></p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-3.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-3.png" alt="" class="wp-image-448272"/></a></figure>   <p><em>Figure 3: Hive0147 DKIM success and permanent_error</em></p>   <h2 class="wp-block-heading">Hive0147 and Banker.FN</h2>   <p>IBM X-Force has been tracking and clustering a series of campaigns as Hive0147 since 2023, which have been delivering the banking trojan Banker.FN. Banker.FN is a .NET-based banking trojan first <a href="https://web-assets.esetstatic.com/wls/2022/12/Spy.Banker.FN_novo-trojan-banc%C3%A1rio-est%C3%A1-sendo-propagado-no-Brasil.pdf">reported</a> in early 2023, with activity dating back to at least September 2022. Since then, Banker.FN has received several updates with added functionality.</p>   <p>Banker.FN is able to: </p>   <ul class="wp-block-list"> <li>Exfiltrate sensitive information</li>   <li>Enumerate active banking websites</li>   <li>Display fake logins and multi-factor authentication windows </li> </ul>   <p>IBM X-Force attributes campaigns delivering Banker.FN to Hive0147 with medium confidence, as activity can be difficult to delineate from other LATAM distributors due to TTP overlaps. X-Force considers the reported Banker.FN campaigns from July 2023 to likely November 2023 as Hive0147 operations.</p>   <h3 class="wp-block-heading">Campaign elements between July to November 2023:</h3>   <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><td><strong>Emails</strong></td><td><strong>Cloud-hosted Payloads</strong></td><td><strong> ZIP Download</strong></td><td><strong>Use of Electron App</strong></td><td><strong>Installer</strong></td><td><strong>NIM Loader</strong></td><td><strong>Filenames</strong></td></tr></thead><tbody><tr><td>Sent during the week (either by X-Force observance or via ZIP file compile dates)</td><td>X-Force observed goo.gl URLs or unknown</td><td>Yes</td><td>Yes</td><td>NSIS <em>transition</em> <em>to</em> Squirrel</td><td>Yes</td><td>All similar containing variations and combinations of  "PDF, Fatur, Mensal, doc"</td></tr></tbody></table></figure>   <h2 class="wp-block-heading">Distribution disguised as Electron app</h2>   <p>In late July-August 2023, X-Force observed Banker.FN version 1.0.0.89 was being distributed in high-volume email campaigns. Campaigns were active during the weekdays, targeting users in Brazil with emails written in themes related to invoices and deliveries. Emails contained an embedded "app.goo[.]gl" link, redirecting users to Firebase dynamic links to download a malicious Electron app acting as a loader. Upon installation, the loader goes through several infection stages including a Nim-compiled crypter to stealthily inject the final payload. The banking trojan is then able to exfiltrate sensitive information, enumerate active banking websites, and display fake logins and multi-factor authentication windows.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-4.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-4.png" alt="" class="wp-image-448273"/></a></figure>   <p><em>Figure 4: Examples of fake multi-factor authentication Windows</em></p>   <h2 class="wp-block-heading">Abusing the Squirrel installer</h2>   <p>IBM X-Force observed the distribution of Banker.FN again in late August 2023, this time delivered via DocuSign. Although emails were sent Friday-Monday, most emails were delivered on Friday. The campaign targeted Portuguese-speaking users and directed the recipient to review and sign a document by clicking on a Firebase dynamic link. The victim is then redirected to a dropper site, which upon resolving the domain will download a ZIP file onto the victim's machine. The downloaded ZIP archive contains an executable posing as a PDF file, which is a malicious Electron app built into a Squirrel.Windows installer. Upon execution, it installs its malicious components, establishes persistence, detects virtual environments and decrypts the next stage before executing it via DLL hijacking.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-5.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-5.png" alt="" class="wp-image-448274"/></a></figure>   <p><em>Figure 5: Sample email</em></p>   <p>The Electron app built into a <strong>Squirrel.Windows </strong>installer is a slight change from the previous campaign, where the Electron app was built into an NSIS installer. The app, however, is built the same and contains an obfuscated Javascript installer to check for common virtual machine environments before establishing persistence and decrypting an archive containing another trojanized application. The trojanized application executes a legitimate executable, which in turn executes a bloated malicious loader via DLL hijacking, continuing the attack execution. This campaign continues with the use of a Nim-compiled loader using more advanced techniques such as direct syscalls.</p>   <p>Further reports made public in <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/">February</a> and <a href="https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions">July</a> 2024 detail campaigns likely occurring in late 2023 delivering a purported new malware named "Coyote," however, the malware is a banking trojan <a href="https://drive.google.com/file/d/1YE_q1SRhMwTz-J56lcxGWqoB4C2iR9kV/view">first discovered by ESET</a> called Banker.FN. The infection chain in both campaigns involves the Squirrel installer for malware distribution, as well as NodeJS and Nim Loader.</p>   <h2 class="wp-block-heading">"Picanha" and the role of downloaders in the banking trojan ecosystem</h2>   <p>The ecosystem of LATAM banking trojans is unique in comparison to other cyber crime operations. It is one of the only regions in which banking trojans are still used heavily to commit banking fraud, while most other banking trojans have since moved on to become backdoors and botnets to furnish <a href="https://www.ibm.com/topics/ransomware">ransomware</a> attacks. The threat groups operating out of LATAM and Spain also display a high degree of cross-group collaboration, while sticking to their tried-and-true techniques, seldom found in other regions. Although this does help to quickly identify a "Latin American banking trojan" group or campaign, attribution is often very challenging due to the strong overlaps. Different malware strains will often use similar string encryption algorithms, and several banking trojans are believed to be operated as Malware-as-a-Service or have several independently developed and operated forks. The same applies to the malware distributors, which mainly rely on shared techniques such as public cloud hosting and phishing emails containing PDFs and malicious URLs to download ZIP archives containing the first-stage <a href="https://www.ibm.com/topics/malware">malware</a>.</p>   <p>In most cases, the first stage is a downloader-type malware. These come in all shapes and sizes and can have varying levels of complexity. A large portion of downloaders are script-based, often featuring lengthy infection chains comprised of scripts including Batch, JavaScript, Visual Basic Script or PowerShell, and the scripts themselves may also be embedded in files such as HTML, LNK (Guildma especially) or MSI installers. The more complex downloaders often support some very basic enumeration on the host, which they pass back to their C2/download server, in order to notify the operators of the potential value of an infection. One example is the <a href="https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/">Grandoreiro downloader</a>, a member of the Grandoreiro family which features its own string encryption and performs detailed enumeration before downloading the main banking trojan.</p>   <p>Other downloaders are more generic but are also used to download banking trojans such as Grandoreiro. What the latter have in common is that they almost always download a full archive containing a legitimate application, with the malware hidden in a trojanized DLL which is loaded by the application upon execution. The reason for this method of packaging and distribution is so that any potentially suspicious activity performed by the banking trojan appears to EDR solutions as if it is coming from a legitimate executable's process. This recurring technique is characteristic of the LATAM ecosystem and has been a distinctive feature for several years. In mid-2024, IBM X-Force observed a campaign delivering a new downloader exhibiting the same characteristics. X-Force named the new Golang-based downloader <strong>"Picanha."</strong></p>   <p>The Picanha downloader is the next evolution of this malware type, offering enhanced features such as supporting more download URLs, reliable encryption and a more sophisticated in-memory execution mechanism, surpassing previous downloader capabilities. However, the builder for Picanha, which is responsible for creating the random function names and other values, is likely still under development. Frequent code changes, such as bug fixes and the presence of unused configuration values, may further indicate that future versions could include additional features such as persistence for the downloaded payload.</p>   <h2 class="wp-block-heading">Picanha downloader</h2>   <p>In July 2023, IBM X-Force observed an email campaign using the new Golang-based downloader Picanha to deliver the Mekotio banking trojan. The initial phishing email is in Portuguese and targets employees informing them of an apparent change in the number of vacation days they have. This theme directly threatens employees' well-being and the sense of urgency may lead to victims impulsively clicking on the included URL to view the changes.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-6.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-6.png" alt="" class="wp-image-448275"/></a></figure>   <p><em>Figure 6: Sample phishing email</em></p>   <p>As in previous campaigns targeting LATAM entities, the URL uses Google's Cloud Run service and redirects victims to a site to download a ZIP file containing a malicious executable. The new Golang-based malware "Picanha downloader" consists of two stages.</p>   <h3 class="wp-block-heading">Stage 1</h3>   <p>Notably, the first stage of the Golang executable contains original function names; however, these have been selected randomly for each sample based on a Portuguese wordlist:</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-7.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-7.png" alt="" class="wp-image-448276"/></a></figure>   <p><em>Figure 7: Wordlist</em></p>   <p>First, Picanha begins by executing a function designed to imitate the Sleep command. The function calculates the elapsed time and performs random calculations until a randomly chosen threshold is reached. The calculation time varies from 25 seconds to 3 minutes. This technique is likely to hinder or slow down detection engines which are often able to hook the Sleep API and skip the dormant functionality.</p>   <p>Then, Picanha decrypts its configuration, which is stored as a hardcoded hex string encrypted with AES-256-GCM.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-8.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-8.png" alt="" class="wp-image-448277"/></a></figure>   <p><em>Figure 8: Encrypted configuration</em></p>   <p>The decrypted configuration string contains values delimited by the characters "#" and "|":</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-Chart-2.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-Chart-2.png" alt="" class="wp-image-448298"/></a></figure>   <p>The decrypted configuration consists of: </p>   <ul class="wp-block-list"> <li>10 different download domains</li>   <li>The file path of Topaz OFD - an online banking security app popular in Latin America</li>   <li>A registry key commonly used for persistence - currently unused</li>   <li>The relative path "\Microsoft\Windows" - currently unused</li>   <li>A random word used as the name of the folder to store the payload </li> </ul>   <p>Picanha will then create a new folder in a randomly chosen folder within the <strong>%LOCALAPPDATA% </strong>directory. For the analyzed sample based on the above config, the folder would be named <strong>"secretores."</strong></p>   <p>Next, the malware enters a loop and attempts to connect to each of the 10 embedded download domains until one is successful. Between the requests, the malware sleeps in random intervals. For each domain, it constructs a full URL and attempts to download a payload. If the request is successful, it will parse the payload as a ZIP archive and extract the contents into the newly created directory.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-9.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-9.png" alt="" class="wp-image-448279"/></a></figure>   <p><em>Figure 9: Loop attempting connections to embedded domains</em></p>   <p>After that, the malware checks for the presence of the Topaz OFD banking security protection module, ensuring it is installed by verifying if the path <strong>"C:\Program Files\Topaz OFD\Warsaw"</strong> exists on the system. Depending on the result, Picanha issues a second HTTP GET request to the following URL using the same domain as for the ZIP download:</p>   <pre class="wp-block-code"><code>https://<domain>/N -> Not installed https://<domain>/S -> Installed</code></pre>   <p>Finally, Picanha launches the main executable which was extracted from the ZIP archive. As often seen with infection chains of related banking trojans, the main executable is a legitimate application that loads a trojanized DLL, in this case, named <strong>NsBars.dll</strong>.</p>   <p>In the example above, the extracted archive contains innocuous files related to the legitimate application and the following three files used for the next steps of the infection chain:</p>   <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><td><strong>Relative path</strong></td><td><strong>Description</strong></td><td><strong>SHA256</strong></td></tr></thead><tbody><tr><td>.\Textoescritor.exe</td><td>Legitimate application</td><td>39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012</td></tr><tr><td>.\bin\NsBars.dll</td><td>Malicious DLL (Picanha Stage 2), replacing the original NsBars.dll</td><td>4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e</td></tr><tr><td>.\wFHYfjQNzkoG.dat</td><td>Encrypted Mekotio payload</td><td>18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b</td></tr></tbody></table></figure>   <p>Picanha's first stage terminates after executing <strong>Textoescritor.exe</strong>. The legitimate application goes on to load a series of user DLLs from the "bin" subdirectory, including the trojanized<strong> NsBars.dll</strong>. When NsBars.dll is loaded, the export function "BarCreate" is called. The code in this function is responsible for executing the second stage of Picanha.</p>   <h3 class="wp-block-heading">Stage 2</h3>   <p>Picanha's second stage starts with the decryption of the final payload (Mekotio), which requires two arguments to proceed: </p>   <ol class="wp-block-list"> <li>The filename of the encrypted payload "wFHYfjQNzkoG.dat"</li>   <li>A decryption password "hNWzPAsZVruI" </li> </ol>   <p>The final payload is decrypted in memory using the SHA256 hash of the password as a key for the AES-256-GCM algorithm.</p>   <p>Finally, the address of the decrypted Mekotio payload is passed to a loader function to manually map the binary into a new buffer in memory and resolve its imports. The loader function retrieves the entry point of the Mekotio payload and transfers execution to it.</p>   <h2 class="wp-block-heading">Mekotio banking trojan</h2>   <p>The Mekotio banking trojan is a Delphi-compiled executable, in this case a 64-bit DLL. Execution begins in the main class with the <em>FormCreate </em>function which attempts to retrieve handles for the following DLLs used by banking security applications:</p>   <pre class="wp-block-code"><code>wslbscr32.dll wslbscrwh32.dll RapportGH.dll rooksbas.dll rooksdol.dll</code></pre>   <p>If they were already loaded into memory, Mekotio would attempt to unload the DLLs by calling <em>DllMain </em>with the DLL_PROCESS_DETACH parameter. However, a simple error in the code causes this functionality to fail due to an encrypted string missing its decryption function:</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-10-1.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-10-1.png" alt="" class="wp-image-448280"/></a></figure>   <p><em>Figure 10: Decryption function</em></p>   <p>The next interesting piece of code uses <em>SetSecurityInfo </em>to modify the discretionary access control list (DACL) of its process, setting it to a new empty DACL.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-11.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-11.png" alt="" class="wp-image-448281"/></a></figure>   <p><em>Figure 11: Empty DACL</em></p>   <p>This prevents Windows 7 users from using Windows Task Manager to terminate the process.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-12.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-12.png" alt="" class="wp-image-448282"/></a></figure>   <p><em>Figure 12: Error message</em></p>   <p>However, users can still terminate the process from Administrator mode in the Task Manager and the technique does not work in Windows 8.1 and above.</p>   <p>Mekotio also loads two DLLs needed during execution, "Magnification.dll" and "dwmapi.dll". Finally, the malware begins its enumeration procedure and initiates command and control (C2) communication. Like most other Delphi-based banking trojans, the different classes and functions implementing the various features of the malware are scheduled via Delphi Timer objects.</p>   <h2 class="wp-block-heading">Persistence</h2>   <p>Upon execution, Mekotio establishes persistence using a registry key. It writes the path of the running executable (the legitimate binary loading the Picanha stage 2 DLL) to the following key, causing Mekotio to execute immediately after every login. At the same time a file "maisum2.dat" is dropped into the current directory, as an indicator that persistence was established successfully.</p>   <pre class="wp-block-code"><code>HKEY_CURRENT_USER\Environment\UserInitMprLogonScript</code></pre>   <p>In addition, Mekotio is able to accept a C2 command requesting to establish persistence through another registry key. In that case, the banking trojan runs </p>   <figure class="wp-block-image size-full is-resized"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Screenshot-2024-10-16-at-10.22.38 AM-1.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Screenshot-2024-10-16-at-10.22.38 AM-1.png" alt="" class="wp-image-448290" style="width:75px;height:auto"/></a></figure>   <p> with the "REG ADD" command to write the same path to:</p>   <pre class="wp-block-code"><code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code></pre>   <h2 class="wp-block-heading">Command and control</h2>   <p>Mekotio begins its first C2 connection with an HTTP POST request, sending an encrypted string containing basic enumeration data on the newly infected client. For example:</p>   <pre class="wp-block-code"><code>dqbw802=7mvejj3zfwoD5880AhFzv62fA3n7sz8oB4nBoAB3Da&Bcdv2=D929321e3a0651A0ae94b2979e&by4ps8=067DAF75a59388eb63d56AD1474EB73F&40z0uuE=9034F4&y1ry=86FD5dF9&h5i2c8cD3=F37c8880819a78d86bF55BE04e&5c9mt=&zwCbcq=6E8389839392D52FEA31D356C73bA429ac53&83whhjc=&</code></pre>   <p>The data is formatted using the following pattern:</p>   <pre class="wp-block-code"><code><random_string>=<value1>&<random_string>=<value2>&<random_string>=<value3>...</code></pre>   <p>The first value is a randomly generated 42-character key, which decrypts all other values using the standard Mekotio string encryption algorithm. The encrypted values contain the following system information: </p>   <ul class="wp-block-list"> <li>Computer name</li>   <li>Username</li>   <li>Windows version</li>   <li>Mekotio version string "D22"</li>   <li>Installed security software (Topaz OFD, Trusteer, Banco Bradesco "Componentes de Segurança")</li>   <li>Installed anti-virus software </li> </ul>   <p>The analyzed sample does not contain a valid URL, which in turn causes the C2 request to fail. As often observed in related banking trojans, this might well be a deprecated functionality not properly cleaned up.</p>   <h2 class="wp-block-heading">DGA</h2>   <p>The rest of the banking trojan's functionality may use a choice of two different DGA mechanisms to generate a domain and resolve its C2 server. Afterward, the actual Mekotio C2 communication is performed via Windows Sockets.</p>   <p>The first DGA mechanism, when the DGA mode configuration value is set to 1, generates a new domain based on the following data: </p>   <ol class="wp-block-list"> <li>Day of the month</li>   <li>Month of the year</li>   <li>Hardcoded seed "mkro" </li> </ol>   <p>The resulting strings are then concatenated. For September 16th for instance, the result is "1609mkro."</p>   <p>For a DGA mode set to 2, Mekotio also incorporates the hour of the day within a specific period. The following time frames are mapped to a specific string:</p>   <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><td><strong>Time is less than</strong></td><td><strong>Mapped string</strong></td></tr></thead><tbody><tr><td>07:00:00</td><td>"AM01"</td></tr><tr><td>08:00:00</td><td>"AM02"</td></tr><tr><td>09:00:00</td><td>"AM03"</td></tr><tr><td>10:00:00</td><td>"AM04"</td></tr><tr><td>11:00:00</td><td>"AM05"</td></tr><tr><td>12:00:00</td><td>"AM06"</td></tr><tr><td>13:00:00</td><td>"PM01"</td></tr><tr><td>14:00:00</td><td>"PM02"</td></tr><tr><td>15:00:00</td><td>"PM03"</td></tr><tr><td>16:00:00</td><td>"PM04"</td></tr><tr><td>17:00:00</td><td>"PM05"</td></tr><tr><td>18:00:00</td><td>"PM06"</td></tr></tbody></table></figure>   <p>The second DGA method uses the provided string to concatenate the following data: </p>   <ol class="wp-block-list"> <li>Day of the week</li>   <li>Day of the month</li>   <li>Timeframe string</li>   <li>Hardcoded seed "mkro" </li> </ol>   <p>As a result, the second DGA method would form the string "MON16AM04mkro" for the date and time "September 16th at 09:42."</p>   <p>From this point, both methods are the same. They generate an MD5 hash of the concatenated string and use the first 20 characters as a subdomain. The apex domain is retrieved using a list that corresponds to the current day of the month:</p>   <pre class="wp-block-code"><code>01 blogdns[.]com 02 blogdns[.]net 03 blogdns[.]org 04 blogsite[.]org 05 webhop[.]biz 06 webhop[.]info 07 dnsalias[.]com 08 dnsalias[.]net 09 dnsalias[.]org 10 dnsdojo[.]com 11 doesntexist[.]com 12 doesntexist[.]org 13 dontexist[.]com 14 dontexist[.]net 15 dontexist[.]org 16 doomdns[.]com 17 doomdns[.]org 18 dvrdns[.]org 19 dyn-o-saur[.]com 20 dynalias[.]com 21 dynalias[.]net 22 dynalias[.]org 23 dynathome[.]net 24 endofinternet[.]net 25 endofinternet[.]org 26 endoftheinternet[.]org 27 webhop[.]org 28 issmarterthanyou[.]com 29 neat-url[.]com 30 from-ks[.]com 31 dyndns-remote[.]com</code></pre>   <p>For both methods explained above, the final C2 domains are:</p>   <pre class="wp-block-code"><code>3cd99dd0981c76e5a7b9[.]doomdns[.]com 4e342df890dd9fb169e0[.]doomdns[.]com</code></pre>   <p>Mekotio also supports a C2 mode of 0, which is likely meant as a fallback or testing channel, and contains a hardcoded IP address to be used as a C2 server:</p>   <pre class="wp-block-code"><code>177.235.219[.]126</code></pre>   <h2 class="wp-block-heading">Behavior</h2>   <p>Just like most other banking trojans, all specific functionality of Mekotio requires sensitive strings. These are decrypted at runtime to avoid static detections. Mekotio uses an old algorithm which is among the most common ones in LATAM banking trojans, and has been used as such or in slight variations with other bankers including <a href="https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/">Grandoreiro</a>, Ousaban and Astaroth/Guildma. It has been documented numerous times before, but the following is an example Python implementation:</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-Chart-14.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-Chart-14.png" alt="" class="wp-image-448294"/></a></figure>   <p>The main objective of Mekotio or any other LATAM banking trojan is to discover the use of banking applications and attempt to manipulate the apps, web apps or the users themselves to commit banking fraud. In the initial discovery of targeted banking applications, the banking trojans include a list of strings containing the names of common financial institutions and their related apps. This list is constantly compared against any open windows on the infected machine. If there is a match, the banking trojan will inform the operator which exact application is used. Mekotio contains the following list indicating a clear targeting towards banking apps used throughout LATAM:</p>   <pre class="wp-block-code"><code>BancoDaycoval BancoMercantil CCBBrasil agibank aplicativoita asaas atendimentoita badesul bancoalfa bancobmg bancobradesco bancobs2 bancodaamazonia bancodobrasil bancodoestadodopar bancodonordeste bancointer bancoita bancomercantil bancooriginal bancorendimento bancotopazio bancovotorantim banesedoseujeito banestes banrisul bbcombr bdmgdigital binance bitcointrade bitfinex bitpreco bitstamp blockchain bnb.gov.br bradesco braziliex brbbanknet citibank civiacontaonline contasimples coopcred cora credinet credisis creditran credsis cresolinternetbanking gerenciadorfinanceiro homebank internetbanking.banpara internetbankingcai itauaplicativo.exe logincaixa loginx mercadobitcoin mercadopago navegadorexclusivo pagueveloz picpay poloniex primebit primexbt pro.bitcointoyou recargapay safranetbanking santand sicoob sicredi sisprime sisprime sofisa stone tribanco unicred uniprime viacredi wise</code></pre>   <p>When one of the referenced banking applications is detected, Mekotio can handle specific commands. These commands implement the following functionality: </p>   <ul class="wp-block-list"> <li>Lock the applications window to prevent users from exiting</li>   <li>Grab input from the window, which might include credentials and tokens</li>   <li>Create a fake window imitating the banking application to capture credentials or tokens</li>   <li>Display or capture a QR code, which may be used to circumvent multi-factor authentication (MFA)</li>   <li>Display a token again to circumvent MFA </li> </ul>   <p>Mekotio contains several images designed to imitate banking applications:</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-13.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-13.png" alt="" class="wp-image-448283"/></a></figure>   <p><em>Figure 13: Readily available application images</em></p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-14.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-14.png" alt="" class="wp-image-448284"/></a></figure>   <p><em>Figure 14: Readily available application images</em></p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-15.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-15.png" alt="" class="wp-image-448285"/></a></figure>   <p><em>Figure 15: Readily available application images</em></p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-16.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-16.png" alt="" class="wp-image-448286"/></a></figure>   <p><em>Figure 16: Readily available application images</em></p>   <p>In addition, Mekotio supports a list of further commands to control the infected machine, including commands to: </p>   <ul class="wp-block-list"> <li>Send keystrokes, mouse movement, clicks or scrolls</li>   <li>Display windows with custom text</li>   <li>Send or receive clipboard data</li>   <li>Change C2 modes</li>   <li>Beacon/Ping C2</li>   <li>Kill process "core.exe" associated with banking security software</li>   <li>Kill browsers</li>   <li>Maximize browser windows</li>   <li>Show taskbar</li>   <li>Send system enumeration data</li>   <li>Take screenshots</li>   <li>Constantly check for windows such as "Task Manager" and "Warning" and immediately close them </li> </ul>   <p>Another interesting functionality exhibited by Mekotio is a feature internally called "Troca sistema de lugar", which roughly translates to "Change system location" (Portuguese machine translation). Mekotio will send an HTTP GET request to retrieve an encrypted string stored at:</p>   <pre class="wp-block-code"><code>https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my</code></pre>   <p>The string contains a key and encrypted data between hardcoded separators, which reveal a list of further download URLs hosted on Google Firebase:</p>   <pre class="wp-block-code"><code>https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7 https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135</code></pre>   <p>Both URLs host the same 40KB JSON file. Mekotio downloads this file as part of the next stage of the process.</p>   <figure class="wp-block-image size-full"><a href="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-17.png"><img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-17.png" alt="" class="wp-image-448287"/></a></figure>   <p><em>Figure 17: JSON file contents</em></p>   <p>The JSON file contains two lists, "diretorioraiz" and "nomesdiretorio." The former contains four system directories, and the latter is what appears to be a large list of folder names related to video games. Although the exact purpose of this content is not clear, Mekotio appears to randomly select and create a folder from the list and copy its archive to the new location. Afterward, it re-establishes persistence through the registry run key.</p>   <h2 class="wp-block-heading">Conclusion</h2>   <p>Hive0147 is just one of dozens of malware distributors enabling the cyber crime ecosystem in LATAM. IBM X-Force is observing an increase in threats targeting the region with newly developed malware such as Picanha, and high volumes of phishing campaigns. Ultimately, the close collaboration between LATAM cyber crime groups should urge defenders to collaborate just as closely. By making full use of <a href="https://www.ibm.com/topics/threat-intelligence">threat intelligence</a> to stay informed about the latest threats and best practices, individuals and organizations can mitigate the risks associated with banking trojans and protect themselves from financial loss. To combat these threats and ensure a secure digital future for the region requires strong cooperation between governments, financial institutions, law enforcement and security researchers.</p>   <h2 class="wp-block-heading">Technical recommendations</h2>   <p>IBM X-Force encourages organizations that may be impacted by these campaigns to review the following recommendations: </p>   <ul class="wp-block-list"> <li>Exercise caution with emails and PDFs prompting a file download</li>   <li>Monitor emails for URLs abusing cloud service domains such as "app.goo.gl" for phishing</li>   <li>Monitor registry Run keys used for persistence   </li>   <li><strong>HKEY_CURRENT_USER\Environment\UserInitMprLogonScript</strong></li>   <li><strong>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</strong>   </li>   <li>Consider blocking pre-calculated DGA domains via DNS</li>   <li>Install and configure endpoint security software</li>   <li>Update relevant network security monitoring rules</li>   <li>Educate staff on the potential threats to the organization </li> </ul>   <p><em>To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services </em><a href="https://www.ibm.com/account/reg/us-en/signup?formid=urx-52262">schedule a meeting here</a><em>.</em></p>   <p><em>If you are experiencing cybersecurity issues or an incident, contact </em><a href="https://www.ibm.com/x-force">X-Force</a><em> to help: </em> </p>   <p><em>US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.</em></p>   <h2 class="wp-block-heading">Indicators of compromise</h2>   <figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>Indicator</strong></td><td><strong>Indicator Type</strong></td><td><strong>Context</strong></td></tr><tr><td>  https://yhv6e.app.goo[.]gl/ASmaxYfRW4Eh9j34A</td><td>  URL</td><td>  Hive0147 phishing URL</td></tr><tr><td>  https://xek99.app.goo[.]gl/g21ytBravSMDQb7H6</td><td>  URL</td><td>  Hive0147 phishing URL</td></tr><tr><td>  d5800c06fe27cf0c6858ea7e02c8b2d35d7a76a93077f9ca6e41878603c38ef3</td><td>  SHA256</td><td>  Picanha Downloader stage 1</td></tr><tr><td>  olukv[.]familyrealstore[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  khqry[.]vitapronobisfassolution[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  izlhu[.]ometodoseroficial[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  jmaah[.]clicktelefoniaempresarial[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  sohye[.]topracoes[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  tjqty[.]deccsmagazine[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  ljoea[.]curasdanatureza[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  zpguk[.]cozinhaofertas[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  hzfzx[.]khadicomunicacao[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  dyicn[.]ofertadsn[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012</td><td>  SHA256</td><td>  Legitimate application</td></tr><tr><td>  4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e</td><td>  SHA256</td><td>  Picanha stage 2 DLL</td></tr><tr><td>  18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b</td><td>  SHA256</td><td>  Encrypted Mekotio payload</td></tr><tr><td>  6a5db2fe1deabd14864a8d908169e4842c611581bdc3357fa597a8fbbc37baf6</td><td>  SHA256</td><td>  Decrypted Mekotio banking trojan</td></tr><tr><td>  3cd99dd0981c76e5a7b9[.]doomdns[.]com </td><td>  Domain</td><td>  Mekotio example DGA domain</td></tr><tr><td>  4e342df890dd9fb169e0[.]doomdns[.]com</td><td>  Domain</td><td>  Mekotio example DGA domain</td></tr><tr><td>  177.235.219[.]126</td><td>  IP</td><td>  Mekotio fallback C2 server</td></tr><tr><td>  https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my</td><td>  URL</td><td>  Mekotio component download URL</td></tr><tr><td>  https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7 </td><td>  URL</td><td>  Mekotio component download URL</td></tr><tr><td>  https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135</td><td>  URL</td><td>  Mekotio component download URL</td></tr></tbody></table></figure>   <p></p> " } </script>  <script id="post-schema" type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://securityintelligence.com/" }, ] } </script> <div id="progressbar"> <amp-animation id="progress-animation" layout="nodisplay"> <script type="application/json"> { "duration": "1s", "iterations": "1", "fill": "both", "direction": "alternate", "animations": [{ "selector": "#progressbar", "keyframes": [{ "transform": "translateX(0)" }] }] } </script> </amp-animation> </div> <amp-position-observer target="post__content" intersection-ratios="0" viewport-margins="25vh 75vh" on="scroll:progress-animation.seekTo(percent=event.percent)" layout="nodisplay"></amp-position-observer> <div class="dark_background" style="background:black;"></div> <div class="container grid" style="background:black;">  <aside class="breadcrumbs "> <h1 class="breadcrumbs__page_title">Hive0147 serving juicy Picanha with a side of Mekotio</h1> </aside> </div> <div class="container grid hero_background "> <div class="grid__content post "> <div class="post__thumbnail"> <amp-img alt="Closeup on a laptop screen displaying green code in a dimly red-lit room" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg.webp" srcset="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-300x158.jpeg.webp 300w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg.webp 630w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code.jpeg.webp 1200w, /wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code.jpeg.webp 2400w"> <amp-img fallback alt="Closeup on a laptop screen displaying green code in a dimly red-lit room" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg" srcset="https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-300x158.jpeg 300w, https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code-630x330.jpeg 630w, https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code.jpeg 1200w, https://securityintelligence.com/wp-content/uploads/2024/10/Closeup-on-modern-female-with-laptop-writing-code.jpeg 2400w"> </amp-img> </amp-img> </div> <div class="new_categoy"> <div class="category-container"> <div class="category"> <div class="theme"> <div class="form-check form-switch"> <div class="link-container"> <a href="#" class="theme-link" id="light-theme-link">Light</a> <a href="#" class="theme-link" id="dark-theme-link">Dark</a> </div> </div> </div> <hr class="separator"> <div class="author_date"> <div class="information"> <span class="date">October 16, 2024</span> <span class="author_category">By <a href="https://securityintelligence.com/author/golo-muhr/" >Golo Mühr</a> <span class="author_comma"></span><br>   <a href="https://securityintelligence.com/author/melissa-frydrych/">Melissa Frydrych</a> <br> </span> <span class="author_category"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 17</span> <span class="rt-label rt-postfix">min read</span></span></span> </div> </div> <hr class="separator"> <div class="title"> <a href="https://securityintelligence.com/category/x-force/threat-intelligence/"><span class="name_category">Threat Intelligence<br> <a href="https://securityintelligence.com/category/x-force/malware-threat/"><span class="name_other_category">Malware<br> <a href="https://securityintelligence.com/category/x-force/"><span class="name_other_category">X-Force<br> </span></a> </div> <div class="social-container" style="visibility: hidden;"> <hr class="separator"> <div class="social">  <a href="https://twitter.com/intent/tweet?text=Hive0147 serving juicy Picanha with a side of Mekotio&url=https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/twitter.svg" alt="twitter"></amp-img></a> <a href="https://www.linkedin.com/shareArticle?url=https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/linkedin.svg" alt="Linkedin" ></amp-img></a> <a href="https://www.facebook.com/sharer/sharer.php?u=https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/facebook.svg" alt="facebook"></amp-img></a> <a href="https://securityintelligence.com/x-force/hive0147-serving-juicy-picanha-with-side-of-mekotio/" target="_blank" rel="noopener noreferrer"><amp-img class="arrow" layout="fixed" height="26" width="26" src="https://securityintelligence.com/wp-content/themes/sapphire/images/social-icons/link.svg" alt="An arrow pointing up"></amp-img></a> </div> </div> </div> <script> window.addEventListener('scroll', function() { var category = document.querySelector('.category'); var scrollPosition = window.scrollY; if (scrollPosition >= 0) { category.classList.add('sticky'); } else { category.classList.remove('sticky'); } }); // Function to set the light theme function setLightTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.remove('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('light'); } } // Function to set the dark theme function setDarkTheme(event, toSaveLocalStorage = true) { event.preventDefault(); const body = document.body; body.classList.add('dark-theme'); // Save the user's theme preference in localStorage if (toSaveLocalStorage && !location.href.includes("/x-force/")) { setSiTheme('dark'); } } // Add click event listeners to the theme links document.getElementById('light-theme-link').addEventListener('click', (event) => setLightTheme(event)); document.getElementById('dark-theme-link').addEventListener('click', (event) => setDarkTheme(event)); // Check localStorage to set the initial theme preference const themePreference = localStorage.getItem('si-theme-mode'); // Function to simulate a click event function simulateClick(handler, toSaveLocalStorage) { const event = new Event('click'); handler(event, toSaveLocalStorage); } // Apply the correct theme based on URL and preference if (location.href.includes("/x-force/")) { simulateClick(setDarkTheme, false); // Apply the dark theme for all x-force posts } else if (themePreference === 'dark') { simulateClick(setDarkTheme, true); // Apply the dark theme based on user preference } else if (themePreference === 'light') { simulateClick(setLightTheme, true); // Apply the light theme based on user preference (default) } else { simulateClick(setLightTheme, true); // Apply the light theme by default } </script> <script> const cookies = JSON.parse(localStorage.getItem("truste.eu.cookie.notice_preferences")); if (cookies && cookies.value === '2:') { document.querySelector('.social-container').style.visibility = 'visible'; } </script> </div> <main class="post__content " id="post__content"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"> <html><body><p>IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution.</p> <p>After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named “Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147 also distributes other banking trojans, such as Banker.FN also known as Coyote, and is likely affiliated with several other Latin American cyber crime groups operating different downloaders and banking trojans to enable banking fraud.</p> <h2 class="wp-block-heading">Key findings</h2> <ul class="wp-block-list"> <li>Hive0147 is one of the most active URL-based phishing threat actors targeting LATAM</li> <li>Malware distributed by Hive0147 has led to a variety of banking trojans, including Banker.FN and Mekotio</li> <li>X-Force discovered a new two-stage downloader named Picanha, which was used to facilitate a Mekotio infection</li> <li>The Mekotio variant observed by X-Force targets a multitude of banking applications and uses DGA to resolve its C2 servers</li> </ul> <h2 class="wp-block-heading">LATAM digital landscape</h2> <p>LATAM has increasingly become a highly targeted cyber threat landscape, specifically in Brazil and Mexico, where economies and industries show strong development. Evolving digital landscapes can be seen expanding into government services and financial technologies, including mobile banking. The <a href="https://paymentscmi.com/wp-content/uploads/2023/08/2023_PCMI_Blueprint_Standard_August-2023.pdf" target="_blank" rel="noopener nofollow" >2023 Latin America E-commerce Blueprint</a> found that e-commerce will steadily grow by at least 20% annually due to improved technology, innovations from online platforms and the adoption of alternative payment methods. In 2023, 71% of adults in the region had a financial account, and it is estimated that between 2023 and 2026, 33 million new users will use the internet for the first time. E-commerce in LATAM, including retail and other sectors like tax payments, fees and licenses, bill payments and government services, has dominated with 70% of e-commerce transactions conducted over mobile channels since 2020. Conducting transactions over mobile channels gives users the flexibility to store user credentials in digital wallets and initiate real-time bank transfers. For example, Brazil’s ‘Pix’ payment platform accounts for 16% of the region’s e-commerce transaction volume. By 2026, it is estimated that Pix growth will account for 38% of online sales. With increasing digital developments in LATAM, specifically with e-commerce platforms, IBM X-Force assesses malware distributors such as Hive0147 are taking advantage of the growth. Malware distributors operating within LATAM are increasing <a href="https://www.ibm.com/topics/phishing" >phishing</a> campaign delivery in hopes of obtaining credentials, specifically banking credentials, for monetary gain. <a href="https://www.ibm.com/reports/threat-intelligence?utm_content=SRCWW&p1=Search&p4=43700079592066625&p5=e&p9=58700008676650552&gclid=EAIaIQobChMI06WYlqS2iAMVKy7UAR3mSxgXEAAYASAAEgK48fD_BwE&gclsrc=aw.ds" >Throughout 2023</a>, LATAM remained a highly impacted region, accounting for 12% of <a href="https://www.ibm.com/topics/incident-response" >incident response</a> cases supported by IBM X-Force. In 2023, entities and users in Brazil were most frequently targeted, making up 68% of all cases that IBM X-Force responded to in LATAM, while users in Colombia accounted for 17%, and users in Chile 8%.</p> <p>IBM X-Force tracks several threat actors operating in LATAM, although attribution and clustering can be difficult due to overlapping tactics, techniques and procedures (TTPs). Phishing campaigns within the LATAM region typically contain themes related to public service, government, taxes and invoices, with the email bodies including either Portuguese or Spanish language content. Often, infection chains consist of multiple stages, starting with either PDF lures or URLs. <a href="https://www.ibm.com/blog/x-force-cloud-threat-landscape/" >Cloud-hosted</a> payloads commonly observed in campaigns use platforms such as Azure blob (blob.core.windows.net), Azure (cloudapp.azure.com), Firebase dynamic links, GoDaddy (host.secureserver.net) and Google Cloud Run (app.goo.gl). When users click on one of the provided links, they are redirected and initiate the download of a ZIP archive file. Depending on the campaign, X-Force notes the ZIP files might contain one of the following file types: MSI, EXE, CMD, HTA or VBS. Executing the ZIP file starts the infection chain, with some distributors being partial to specific malware such as BlotchyQuasar (Hive0129), Guildma and some Grandoreiro operators, while others use different payloads and a variety of forks. Frequently, email campaigns containing redirect links are geofenced, requiring the user to access the links within a specific LATAM country (most commonly Brazil, Mexico or Colombia).</p> <p>Hive0147 is one of the most active banking malware distributors IBM X-Force observes that currently operates in LATAM. IBM X-Force has been tracking a steady influx of campaigns grouped under Hive0147 delivering the banking trojan Banker.FN, as well as a new Golang-based downloader we’ve named “Picanha,” deploying the well-known Mekotio banking trojan. <strong> </strong>Although we do not attribute this new downloader to Hive0147 specifically, IBM X-Force assesses that LATAM distributors operate under a similar model as other cyber crime groups, with affiliate groups specializing in spamming, malware staging or crypting, and banking trojan operations and monetization.</p> <h2 class="wp-block-heading">Hive0147 distribution activity</h2> <p>Most of Hive0147’s emails are sent from French IP addresses, although there has been a recent shift to emails almost exclusively being sent from Dutch IP addresses. Shifting the location of sender IP addresses may be an attempt to evade detection and bypass security, prevent IP blocking or make attribution difficult. Interestingly, of the campaign activity observed since January, X-Force found that about half of the emails have a successful DomainKey Identified Mail (DKIM) verification. DKIM is a method in which signatures are used to verify the authenticity of an email message to ensure that it did not change during transit. Emails with successful DKIM checks may have a higher likelihood of not being flagged as spam. For Hive0147, failed DKIM checks may have been a misconfiguration on the actor’s part or the result of using different services or infrastructures that do not support DKIM.</p> <p>During phases of activity, IBM X-Force has observed Hive0147 exhibit a significantly higher volume of activity compared to other LATAM malware distributors. Since January 2024, X-Force notes that activity attributed to Hive0147 occurs on all days during the week; however, activity mainly occurs Monday to Thursday, with 80% of campaign emails sent on these days. Interestingly, from April to July, we saw an almost complete stop in activity, which may be the result of higher-than-normal domestic travel. Brazil’s travel industry is growing rapidly, which can be seen in the increase in both domestic and international air traffic. The National Civil Aviation Agency (ANAC) reported a significant increase in flight passenger traffic of <a href="https://www.riotimesonline.com/passenger-volume-in-brazilian-airports-increases-by-4-4-in-first-half-of-2024/" target="_blank" rel="noopener nofollow" >4.4%</a> between January and June 2024, recording 56.2 million passengers. In addition, the International Air Transport Association (IATA) <a href="https://www.travelandtourworld.com/news/article/how-brazil-is-beating-us-in-the-global-travel-industry-boom/" target="_blank" rel="noopener nofollow" >reported</a> that in July 2024, domestic tourism in Brazil grew by a substantial 8.9%.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-1.png" layout="intrinsic" class="wp-image-448270" alt="" srcset="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-1.png 1237w, https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-1-150x150.png 150w" width="1237" height="1244" lightbox="lightbox"></amp-img></figure> <p><em>Figure 1: Hive0147 active campaign days</em></p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-2.png" layout="intrinsic" class="wp-image-448271" alt="" width="1382" height="750" lightbox="lightbox"></amp-img></figure> <p><em>Figure 2: Hive0147 top six IP usage by country</em></p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-3.png" layout="intrinsic" class="wp-image-448272" alt="" width="1374" height="744" lightbox="lightbox"></amp-img></figure> <p><em>Figure 3: Hive0147 DKIM success and permanent_error</em></p> <h2 class="wp-block-heading">Hive0147 and Banker.FN</h2> <p>IBM X-Force has been tracking and clustering a series of campaigns as Hive0147 since 2023, which have been delivering the banking trojan Banker.FN. Banker.FN is a .NET-based banking trojan first <a href="https://web-assets.esetstatic.com/wls/2022/12/Spy.Banker.FN_novo-trojan-banc%C3%A1rio-est%C3%A1-sendo-propagado-no-Brasil.pdf" target="_blank" rel="noopener nofollow" >reported</a> in early 2023, with activity dating back to at least September 2022. Since then, Banker.FN has received several updates with added functionality.</p> <p>Banker.FN is able to: </p> <ul class="wp-block-list"> <li>Exfiltrate sensitive information</li> <li>Enumerate active banking websites</li> <li>Display fake logins and multi-factor authentication windows </li> </ul> <p>IBM X-Force attributes campaigns delivering Banker.FN to Hive0147 with medium confidence, as activity can be difficult to delineate from other LATAM distributors due to TTP overlaps. X-Force considers the reported Banker.FN campaigns from July 2023 to likely November 2023 as Hive0147 operations.</p> <h3 class="wp-block-heading">Campaign elements between July to November 2023:</h3> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><td><strong>Emails</strong></td><td><strong>Cloud-hosted Payloads</strong></td><td><strong> ZIP Download</strong></td><td><strong>Use of Electron App</strong></td><td><strong>Installer</strong></td><td><strong>NIM Loader</strong></td><td><strong>Filenames</strong></td></tr></thead><tbody><tr><td>Sent during the week (either by X-Force observance or via ZIP file compile dates)</td><td>X-Force observed goo.gl URLs or unknown</td><td>Yes</td><td>Yes</td><td>NSIS <em>transition</em> <em>to</em> Squirrel</td><td>Yes</td><td>All similar containing variations and combinations of  “PDF, Fatur, Mensal, doc”</td></tr></tbody></table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div></figure> <h2 class="wp-block-heading">Distribution disguised as Electron app</h2> <p>In late July-August 2023, X-Force observed Banker.FN version 1.0.0.89 was being distributed in high-volume email campaigns. Campaigns were active during the weekdays, targeting users in Brazil with emails written in themes related to invoices and deliveries. Emails contained an embedded “app.goo[.]gl” link, redirecting users to Firebase dynamic links to download a malicious Electron app acting as a loader. Upon installation, the loader goes through several infection stages including a Nim-compiled crypter to stealthily inject the final payload. The banking trojan is then able to exfiltrate sensitive information, enumerate active banking websites, and display fake logins and multi-factor authentication windows.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-4.png" layout="intrinsic" class="wp-image-448273" alt="" width="705" height="918" lightbox="lightbox"></amp-img></figure> <p><em>Figure 4: Examples of fake multi-factor authentication Windows</em></p> <h2 class="wp-block-heading">Abusing the Squirrel installer</h2> <p>IBM X-Force observed the distribution of Banker.FN again in late August 2023, this time delivered via DocuSign. Although emails were sent Friday-Monday, most emails were delivered on Friday. The campaign targeted Portuguese-speaking users and directed the recipient to review and sign a document by clicking on a Firebase dynamic link. The victim is then redirected to a dropper site, which upon resolving the domain will download a ZIP file onto the victim’s machine. The downloaded ZIP archive contains an executable posing as a PDF file, which is a malicious Electron app built into a Squirrel.Windows installer. Upon execution, it installs its malicious components, establishes persistence, detects virtual environments and decrypts the next stage before executing it via DLL hijacking.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-5.png" layout="intrinsic" class="wp-image-448274" alt="" width="1121" height="920" lightbox="lightbox"></amp-img></figure> <p><em>Figure 5: Sample email</em></p> <p>The Electron app built into a <strong>Squirrel.Windows </strong>installer is a slight change from the previous campaign, where the Electron app was built into an NSIS installer. The app, however, is built the same and contains an obfuscated Javascript installer to check for common virtual machine environments before establishing persistence and decrypting an archive containing another trojanized application. The trojanized application executes a legitimate executable, which in turn executes a bloated malicious loader via DLL hijacking, continuing the attack execution. This campaign continues with the use of a Nim-compiled loader using more advanced techniques such as direct syscalls.</p> <p>Further reports made public in <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener nofollow" >February</a> and <a href="https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions" target="_blank" rel="noopener nofollow" >July</a> 2024 detail campaigns likely occurring in late 2023 delivering a purported new malware named “Coyote,” however, the malware is a banking trojan <a href="https://drive.google.com/file/d/1YE_q1SRhMwTz-J56lcxGWqoB4C2iR9kV/view" target="_blank" rel="noopener nofollow" >first discovered by ESET</a> called Banker.FN. The infection chain in both campaigns involves the Squirrel installer for malware distribution, as well as NodeJS and Nim Loader.</p> <h2 class="wp-block-heading">“Picanha” and the role of downloaders in the banking trojan ecosystem</h2> <p>The ecosystem of LATAM banking trojans is unique in comparison to other cyber crime operations. It is one of the only regions in which banking trojans are still used heavily to commit banking fraud, while most other banking trojans have since moved on to become backdoors and botnets to furnish <a href="https://www.ibm.com/topics/ransomware" >ransomware</a> attacks. The threat groups operating out of LATAM and Spain also display a high degree of cross-group collaboration, while sticking to their tried-and-true techniques, seldom found in other regions. Although this does help to quickly identify a “Latin American banking trojan” group or campaign, attribution is often very challenging due to the strong overlaps. Different malware strains will often use similar string encryption algorithms, and several banking trojans are believed to be operated as Malware-as-a-Service or have several independently developed and operated forks. The same applies to the malware distributors, which mainly rely on shared techniques such as public cloud hosting and phishing emails containing PDFs and malicious URLs to download ZIP archives containing the first-stage <a href="https://www.ibm.com/topics/malware" >malware</a>.</p> <p>In most cases, the first stage is a downloader-type malware. These come in all shapes and sizes and can have varying levels of complexity. A large portion of downloaders are script-based, often featuring lengthy infection chains comprised of scripts including Batch, JavaScript, Visual Basic Script or PowerShell, and the scripts themselves may also be embedded in files such as HTML, LNK (Guildma especially) or MSI installers. The more complex downloaders often support some very basic enumeration on the host, which they pass back to their C2/download server, in order to notify the operators of the potential value of an infection. One example is the <a href="https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/" >Grandoreiro downloader</a>, a member of the Grandoreiro family which features its own string encryption and performs detailed enumeration before downloading the main banking trojan.</p> <p>Other downloaders are more generic but are also used to download banking trojans such as Grandoreiro. What the latter have in common is that they almost always download a full archive containing a legitimate application, with the malware hidden in a trojanized DLL which is loaded by the application upon execution. The reason for this method of packaging and distribution is so that any potentially suspicious activity performed by the banking trojan appears to EDR solutions as if it is coming from a legitimate executable’s process. This recurring technique is characteristic of the LATAM ecosystem and has been a distinctive feature for several years. In mid-2024, IBM X-Force observed a campaign delivering a new downloader exhibiting the same characteristics. X-Force named the new Golang-based downloader <strong>“Picanha.”</strong></p> <p>The Picanha downloader is the next evolution of this malware type, offering enhanced features such as supporting more download URLs, reliable encryption and a more sophisticated in-memory execution mechanism, surpassing previous downloader capabilities. However, the builder for Picanha, which is responsible for creating the random function names and other values, is likely still under development. Frequent code changes, such as bug fixes and the presence of unused configuration values, may further indicate that future versions could include additional features such as persistence for the downloaded payload.</p> <h2 class="wp-block-heading">Picanha downloader</h2> <p>In July 2023, IBM X-Force observed an email campaign using the new Golang-based downloader Picanha to deliver the Mekotio banking trojan. The initial phishing email is in Portuguese and targets employees informing them of an apparent change in the number of vacation days they have. This theme directly threatens employees’ well-being and the sense of urgency may lead to victims impulsively clicking on the included URL to view the changes.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-6.png" layout="intrinsic" class="wp-image-448275" alt="" width="1144" height="1330" lightbox="lightbox"></amp-img></figure> <p><em>Figure 6: Sample phishing email</em></p> <p>As in previous campaigns targeting LATAM entities, the URL uses Google’s Cloud Run service and redirects victims to a site to download a ZIP file containing a malicious executable. The new Golang-based malware “Picanha downloader” consists of two stages.</p> <h3 class="wp-block-heading">Stage 1</h3> <p>Notably, the first stage of the Golang executable contains original function names; however, these have been selected randomly for each sample based on a Portuguese wordlist:</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-7.png" layout="intrinsic" class="wp-image-448276" alt="" width="856" height="329" lightbox="lightbox"></amp-img></figure> <p><em>Figure 7: Wordlist</em></p> <p>First, Picanha begins by executing a function designed to imitate the Sleep command. The function calculates the elapsed time and performs random calculations until a randomly chosen threshold is reached. The calculation time varies from 25 seconds to 3 minutes. This technique is likely to hinder or slow down detection engines which are often able to hook the Sleep API and skip the dormant functionality.</p> <p>Then, Picanha decrypts its configuration, which is stored as a hardcoded hex string encrypted with AES-256-GCM.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-8.png" layout="intrinsic" class="wp-image-448277" alt="" width="1374" height="543" lightbox="lightbox"></amp-img></figure> <p><em>Figure 8: Encrypted configuration</em></p> <p>The decrypted configuration string contains values delimited by the characters “#” and “|”:</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-Chart-2.png" layout="intrinsic" class="wp-image-448298" alt="" width="1357" height="310" lightbox="lightbox"></amp-img></figure> <p>The decrypted configuration consists of: </p> <ul class="wp-block-list"> <li>10 different download domains</li> <li>The file path of Topaz OFD – an online banking security app popular in Latin America</li> <li>A registry key commonly used for persistence – currently unused</li> <li>The relative path “\Microsoft\Windows” – currently unused</li> <li>A random word used as the name of the folder to store the payload </li> </ul> <p>Picanha will then create a new folder in a randomly chosen folder within the <strong>%LOCALAPPDATA% </strong>directory. For the analyzed sample based on the above config, the folder would be named <strong>“secretores.”</strong></p> <p>Next, the malware enters a loop and attempts to connect to each of the 10 embedded download domains until one is successful. Between the requests, the malware sleeps in random intervals. For each domain, it constructs a full URL and attempts to download a payload. If the request is successful, it will parse the payload as a ZIP archive and extract the contents into the newly created directory.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-9.png" layout="intrinsic" class="wp-image-448279" alt="" width="1377" height="858" lightbox="lightbox"></amp-img></figure> <p><em>Figure 9: Loop attempting connections to embedded domains</em></p> <p>After that, the malware checks for the presence of the Topaz OFD banking security protection module, ensuring it is installed by verifying if the path <strong>“C:\Program Files\Topaz OFD\Warsaw”</strong> exists on the system. Depending on the result, Picanha issues a second HTTP GET request to the following URL using the same domain as for the ZIP download:</p> <pre class="wp-block-code"><code>https://<domain>/N -> Not installed https://<domain>/S -> Installed</code></pre> <p>Finally, Picanha launches the main executable which was extracted from the ZIP archive. As often seen with infection chains of related banking trojans, the main executable is a legitimate application that loads a trojanized DLL, in this case, named <strong>NsBars.dll</strong>.</p> <p>In the example above, the extracted archive contains innocuous files related to the legitimate application and the following three files used for the next steps of the infection chain:</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><td><strong>Relative path</strong></td><td><strong>Description</strong></td><td><strong>SHA256</strong></td></tr></thead><tbody><tr><td>.\Textoescritor.exe</td><td>Legitimate application</td><td>39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012</td></tr><tr><td>.\bin\NsBars.dll</td><td>Malicious DLL (Picanha Stage 2), replacing the original NsBars.dll</td><td>4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e</td></tr><tr><td>.\wFHYfjQNzkoG.dat</td><td>Encrypted Mekotio payload</td><td>18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b</td></tr></tbody></table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div></figure> <p>Picanha’s first stage terminates after executing <strong>Textoescritor.exe</strong>. The legitimate application goes on to load a series of user DLLs from the “bin” subdirectory, including the trojanized<strong> NsBars.dll</strong>. When NsBars.dll is loaded, the export function “BarCreate” is called. The code in this function is responsible for executing the second stage of Picanha.</p> <h3 class="wp-block-heading">Stage 2</h3> <p>Picanha’s second stage starts with the decryption of the final payload (Mekotio), which requires two arguments to proceed: </p> <ol class="wp-block-list"> <li>The filename of the encrypted payload “wFHYfjQNzkoG.dat”</li> <li>A decryption password “hNWzPAsZVruI” </li> </ol> <p>The final payload is decrypted in memory using the SHA256 hash of the password as a key for the AES-256-GCM algorithm.</p> <p>Finally, the address of the decrypted Mekotio payload is passed to a loader function to manually map the binary into a new buffer in memory and resolve its imports. The loader function retrieves the entry point of the Mekotio payload and transfers execution to it.</p> <h2 class="wp-block-heading">Mekotio banking trojan</h2> <p>The Mekotio banking trojan is a Delphi-compiled executable, in this case a 64-bit DLL. Execution begins in the main class with the <em>FormCreate </em>function which attempts to retrieve handles for the following DLLs used by banking security applications:</p> <pre class="wp-block-code"><code>wslbscr32.dll wslbscrwh32.dll RapportGH.dll rooksbas.dll rooksdol.dll</code></pre> <p>If they were already loaded into memory, Mekotio would attempt to unload the DLLs by calling <em>DllMain </em>with the DLL_PROCESS_DETACH parameter. However, a simple error in the code causes this functionality to fail due to an encrypted string missing its decryption function:</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-10-1.png" layout="intrinsic" class="wp-image-448280" alt="" width="1372" height="480" lightbox="lightbox"></amp-img></figure> <p><em>Figure 10: Decryption function</em></p> <p>The next interesting piece of code uses <em>SetSecurityInfo </em>to modify the discretionary access control list (DACL) of its process, setting it to a new empty DACL.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-11.png" layout="intrinsic" class="wp-image-448281" alt="" width="1049" height="394" lightbox="lightbox"></amp-img></figure> <p><em>Figure 11: Empty DACL</em></p> <p>This prevents Windows 7 users from using Windows Task Manager to terminate the process.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-12.png" layout="intrinsic" class="wp-image-448282" alt="" width="765" height="413" lightbox="lightbox"></amp-img></figure> <p><em>Figure 12: Error message</em></p> <p>However, users can still terminate the process from Administrator mode in the Task Manager and the technique does not work in Windows 8.1 and above.</p> <p>Mekotio also loads two DLLs needed during execution, “Magnification.dll” and “dwmapi.dll”. Finally, the malware begins its enumeration procedure and initiates command and control (C2) communication. Like most other Delphi-based banking trojans, the different classes and functions implementing the various features of the malware are scheduled via Delphi Timer objects.</p> <h2 class="wp-block-heading">Persistence</h2> <p>Upon execution, Mekotio establishes persistence using a registry key. It writes the path of the running executable (the legitimate binary loading the Picanha stage 2 DLL) to the following key, causing Mekotio to execute immediately after every login. At the same time a file “maisum2.dat” is dropped into the current directory, as an indicator that persistence was established successfully.</p> <pre class="wp-block-code"><code>HKEY_CURRENT_USER\Environment\UserInitMprLogonScript</code></pre> <p>In addition, Mekotio is able to accept a C2 command requesting to establish persistence through another registry key. In that case, the banking trojan runs </p> <figure class="wp-block-image size-full is-resized"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Screenshot-2024-10-16-at-10.22.38%E2%80%AFAM-1.png" layout="intrinsic" class="wp-image-448290" alt="" width="85" height="34" lightbox="lightbox"></amp-img></figure> <p> with the “REG ADD” command to write the same path to:</p> <pre class="wp-block-code"><code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code></pre> <h2 class="wp-block-heading">Command and control</h2> <p>Mekotio begins its first C2 connection with an HTTP POST request, sending an encrypted string containing basic enumeration data on the newly infected client. For example:</p> <pre class="wp-block-code"><code>dqbw802=7mvejj3zfwoD5880AhFzv62fA3n7sz8oB4nBoAB3Da&Bcdv2=D929321e3a0651A0ae94b2979e&by4ps8=067DAF75a59388eb63d56AD1474EB73F&40z0uuE=9034F4&y1ry=86FD5dF9&h5i2c8cD3=F37c8880819a78d86bF55BE04e&5c9mt=&zwCbcq=6E8389839392D52FEA31D356C73bA429ac53&83whhjc=&</code></pre> <p>The data is formatted using the following pattern:</p> <pre class="wp-block-code"><code><random_string>=<value1>&<random_string>=<value2>&<random_string>=<value3>...</code></pre> <p>The first value is a randomly generated 42-character key, which decrypts all other values using the standard Mekotio string encryption algorithm. The encrypted values contain the following system information: </p> <ul class="wp-block-list"> <li>Computer name</li> <li>Username</li> <li>Windows version</li> <li>Mekotio version string “D22”</li> <li>Installed security software (Topaz OFD, Trusteer, Banco Bradesco “Componentes de Segurança”)</li> <li>Installed anti-virus software </li> </ul> <p>The analyzed sample does not contain a valid URL, which in turn causes the C2 request to fail. As often observed in related banking trojans, this might well be a deprecated functionality not properly cleaned up.</p> <h2 class="wp-block-heading">DGA</h2> <p>The rest of the banking trojan’s functionality may use a choice of two different DGA mechanisms to generate a domain and resolve its C2 server. Afterward, the actual Mekotio C2 communication is performed via Windows Sockets.</p> <p>The first DGA mechanism, when the DGA mode configuration value is set to 1, generates a new domain based on the following data: </p> <ol class="wp-block-list"> <li>Day of the month</li> <li>Month of the year</li> <li>Hardcoded seed “mkro” </li> </ol> <p>The resulting strings are then concatenated. For September 16th for instance, the result is “1609mkro.”</p> <p>For a DGA mode set to 2, Mekotio also incorporates the hour of the day within a specific period. The following time frames are mapped to a specific string:</p> <figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><td><strong>Time is less than</strong></td><td><strong>Mapped string</strong></td></tr></thead><tbody><tr><td>07:00:00</td><td>“AM01”</td></tr><tr><td>08:00:00</td><td>“AM02”</td></tr><tr><td>09:00:00</td><td>“AM03”</td></tr><tr><td>10:00:00</td><td>“AM04”</td></tr><tr><td>11:00:00</td><td>“AM05”</td></tr><tr><td>12:00:00</td><td>“AM06”</td></tr><tr><td>13:00:00</td><td>“PM01”</td></tr><tr><td>14:00:00</td><td>“PM02”</td></tr><tr><td>15:00:00</td><td>“PM03”</td></tr><tr><td>16:00:00</td><td>“PM04”</td></tr><tr><td>17:00:00</td><td>“PM05”</td></tr><tr><td>18:00:00</td><td>“PM06”</td></tr></tbody></table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div></figure> <p>The second DGA method uses the provided string to concatenate the following data: </p> <ol class="wp-block-list"> <li>Day of the week</li> <li>Day of the month</li> <li>Timeframe string</li> <li>Hardcoded seed “mkro” </li> </ol> <p>As a result, the second DGA method would form the string “MON16AM04mkro” for the date and time “September 16th at 09:42.”</p> <p>From this point, both methods are the same. They generate an MD5 hash of the concatenated string and use the first 20 characters as a subdomain. The apex domain is retrieved using a list that corresponds to the current day of the month:</p> <pre class="wp-block-code"><code>01 blogdns[.]com 02 blogdns[.]net 03 blogdns[.]org 04 blogsite[.]org 05 webhop[.]biz 06 webhop[.]info 07 dnsalias[.]com 08 dnsalias[.]net 09 dnsalias[.]org 10 dnsdojo[.]com 11 doesntexist[.]com 12 doesntexist[.]org 13 dontexist[.]com 14 dontexist[.]net 15 dontexist[.]org 16 doomdns[.]com 17 doomdns[.]org 18 dvrdns[.]org 19 dyn-o-saur[.]com 20 dynalias[.]com 21 dynalias[.]net 22 dynalias[.]org 23 dynathome[.]net 24 endofinternet[.]net 25 endofinternet[.]org 26 endoftheinternet[.]org 27 webhop[.]org 28 issmarterthanyou[.]com 29 neat-url[.]com 30 from-ks[.]com 31 dyndns-remote[.]com</code></pre> <p>For both methods explained above, the final C2 domains are:</p> <pre class="wp-block-code"><code>3cd99dd0981c76e5a7b9[.]doomdns[.]com 4e342df890dd9fb169e0[.]doomdns[.]com</code></pre> <p>Mekotio also supports a C2 mode of 0, which is likely meant as a fallback or testing channel, and contains a hardcoded IP address to be used as a C2 server:</p> <pre class="wp-block-code"><code>177.235.219[.]126</code></pre> <h2 class="wp-block-heading">Behavior</h2> <p>Just like most other banking trojans, all specific functionality of Mekotio requires sensitive strings. These are decrypted at runtime to avoid static detections. Mekotio uses an old algorithm which is among the most common ones in LATAM banking trojans, and has been used as such or in slight variations with other bankers including <a href="https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/" >Grandoreiro</a>, Ousaban and Astaroth/Guildma. It has been documented numerous times before, but the following is an example Python implementation:</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-Chart-14.png" layout="intrinsic" class="wp-image-448294" alt="" width="1366" height="375" lightbox="lightbox"></amp-img></figure> <p>The main objective of Mekotio or any other LATAM banking trojan is to discover the use of banking applications and attempt to manipulate the apps, web apps or the users themselves to commit banking fraud. In the initial discovery of targeted banking applications, the banking trojans include a list of strings containing the names of common financial institutions and their related apps. This list is constantly compared against any open windows on the infected machine. If there is a match, the banking trojan will inform the operator which exact application is used. Mekotio contains the following list indicating a clear targeting towards banking apps used throughout LATAM:</p> <pre class="wp-block-code"><code>BancoDaycoval BancoMercantil CCBBrasil agibank aplicativoita asaas atendimentoita badesul bancoalfa bancobmg bancobradesco bancobs2 bancodaamazonia bancodobrasil bancodoestadodopar bancodonordeste bancointer bancoita bancomercantil bancooriginal bancorendimento bancotopazio bancovotorantim banesedoseujeito banestes banrisul bbcombr bdmgdigital binance bitcointrade bitfinex bitpreco bitstamp blockchain bnb.gov.br bradesco braziliex brbbanknet citibank civiacontaonline contasimples coopcred cora credinet credisis creditran credsis cresolinternetbanking gerenciadorfinanceiro homebank internetbanking.banpara internetbankingcai itauaplicativo.exe logincaixa loginx mercadobitcoin mercadopago navegadorexclusivo pagueveloz picpay poloniex primebit primexbt pro.bitcointoyou recargapay safranetbanking santand sicoob sicredi sisprime sisprime sofisa stone tribanco unicred uniprime viacredi wise</code></pre> <p>When one of the referenced banking applications is detected, Mekotio can handle specific commands. These commands implement the following functionality: </p> <ul class="wp-block-list"> <li>Lock the applications window to prevent users from exiting</li> <li>Grab input from the window, which might include credentials and tokens</li> <li>Create a fake window imitating the banking application to capture credentials or tokens</li> <li>Display or capture a QR code, which may be used to circumvent multi-factor authentication (MFA)</li> <li>Display a token again to circumvent MFA </li> </ul> <p>Mekotio contains several images designed to imitate banking applications:</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-13.png" layout="intrinsic" class="wp-image-448283" alt="" width="1362" height="763" lightbox="lightbox"></amp-img></figure> <p><em>Figure 13: Readily available application images</em></p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-14.png" layout="intrinsic" class="wp-image-448284" alt="" width="1090" height="906" lightbox="lightbox"></amp-img></figure> <p><em>Figure 14: Readily available application images</em></p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-15.png" layout="intrinsic" class="wp-image-448285" alt="" width="1203" height="908" lightbox="lightbox"></amp-img></figure> <p><em>Figure 15: Readily available application images</em></p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-16.png" layout="intrinsic" class="wp-image-448286" alt="" width="1355" height="772" lightbox="lightbox"></amp-img></figure> <p><em>Figure 16: Readily available application images</em></p> <p>In addition, Mekotio supports a list of further commands to control the infected machine, including commands to: </p> <ul class="wp-block-list"> <li>Send keystrokes, mouse movement, clicks or scrolls</li> <li>Display windows with custom text</li> <li>Send or receive clipboard data</li> <li>Change C2 modes</li> <li>Beacon/Ping C2</li> <li>Kill process “core.exe” associated with banking security software</li> <li>Kill browsers</li> <li>Maximize browser windows</li> <li>Show taskbar</li> <li>Send system enumeration data</li> <li>Take screenshots</li> <li>Constantly check for windows such as “Task Manager” and “Warning” and immediately close them </li> </ul> <p>Another interesting functionality exhibited by Mekotio is a feature internally called “Troca sistema de lugar”, which roughly translates to “Change system location” (Portuguese machine translation). Mekotio will send an HTTP GET request to retrieve an encrypted string stored at:</p> <pre class="wp-block-code"><code>https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my</code></pre> <p>The string contains a key and encrypted data between hardcoded separators, which reveal a list of further download URLs hosted on Google Firebase:</p> <pre class="wp-block-code"><code>https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7 https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135</code></pre> <p>Both URLs host the same 40KB JSON file. Mekotio downloads this file as part of the next stage of the process.</p> <figure class="wp-block-image size-full"><amp-img src="https://securityintelligence.com/wp-content/uploads/2024/10/Hive-fig-17.png" layout="intrinsic" class="wp-image-448287" alt="" width="1372" height="541" lightbox="lightbox"></amp-img></figure> <p><em>Figure 17: JSON file contents</em></p> <p>The JSON file contains two lists, “diretorioraiz” and “nomesdiretorio.” The former contains four system directories, and the latter is what appears to be a large list of folder names related to video games. Although the exact purpose of this content is not clear, Mekotio appears to randomly select and create a folder from the list and copy its archive to the new location. Afterward, it re-establishes persistence through the registry run key.</p> <h2 class="wp-block-heading">Conclusion</h2> <p>Hive0147 is just one of dozens of malware distributors enabling the cyber crime ecosystem in LATAM. IBM X-Force is observing an increase in threats targeting the region with newly developed malware such as Picanha, and high volumes of phishing campaigns. Ultimately, the close collaboration between LATAM cyber crime groups should urge defenders to collaborate just as closely. By making full use of <a href="https://www.ibm.com/topics/threat-intelligence" >threat intelligence</a> to stay informed about the latest threats and best practices, individuals and organizations can mitigate the risks associated with banking trojans and protect themselves from financial loss. To combat these threats and ensure a secure digital future for the region requires strong cooperation between governments, financial institutions, law enforcement and security researchers.</p> <h2 class="wp-block-heading">Technical recommendations</h2> <p>IBM X-Force encourages organizations that may be impacted by these campaigns to review the following recommendations: </p> <ul class="wp-block-list"> <li>Exercise caution with emails and PDFs prompting a file download</li> <li>Monitor emails for URLs abusing cloud service domains such as “app.goo.gl” for phishing</li> <li>Monitor registry Run keys used for persistence   </li> <li><strong>HKEY_CURRENT_USER\Environment\UserInitMprLogonScript</strong></li> <li><strong>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</strong>   </li> <li>Consider blocking pre-calculated DGA domains via DNS</li> <li>Install and configure endpoint security software</li> <li>Update relevant network security monitoring rules</li> <li>Educate staff on the potential threats to the organization </li> </ul> <p><em>To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services </em><a href="https://www.ibm.com/account/reg/us-en/signup?formid=urx-52262" >schedule a meeting here</a><em>.</em></p> <p><em>If you are experiencing cybersecurity issues or an incident, contact </em><a href="https://www.ibm.com/x-force" >X-Force</a><em> to help: </em> </p> <p><em>US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.</em></p> <h2 class="wp-block-heading">Indicators of compromise</h2> <figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>Indicator</strong></td><td><strong>Indicator Type</strong></td><td><strong>Context</strong></td></tr><tr><td>  https://yhv6e.app.goo[.]gl/ASmaxYfRW4Eh9j34A</td><td>  URL</td><td>  Hive0147 phishing URL</td></tr><tr><td>  https://xek99.app.goo[.]gl/g21ytBravSMDQb7H6</td><td>  URL</td><td>  Hive0147 phishing URL</td></tr><tr><td>  d5800c06fe27cf0c6858ea7e02c8b2d35d7a76a93077f9ca6e41878603c38ef3</td><td>  SHA256</td><td>  Picanha Downloader stage 1</td></tr><tr><td>  olukv[.]familyrealstore[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  khqry[.]vitapronobisfassolution[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  izlhu[.]ometodoseroficial[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  jmaah[.]clicktelefoniaempresarial[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  sohye[.]topracoes[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  tjqty[.]deccsmagazine[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  ljoea[.]curasdanatureza[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  zpguk[.]cozinhaofertas[.]com</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  hzfzx[.]khadicomunicacao[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  dyicn[.]ofertadsn[.]com[.]br</td><td>  Domain</td><td>  Picanha download domain</td></tr><tr><td>  39222481d69aa4d92a5c4d5c094a86909ebff762f6336f1a186fa94d3cc01012</td><td>  SHA256</td><td>  Legitimate application</td></tr><tr><td>  4e62a102a00b071ee9f7b7e6ace0d558e18ba1a61a937676c4460a0f33a3e87e</td><td>  SHA256</td><td>  Picanha stage 2 DLL</td></tr><tr><td>  18b09a8dfb6b553f355382127a67ad1ba5909b442e0e9fadb7ebd7d89675ea9b</td><td>  SHA256</td><td>  Encrypted Mekotio payload</td></tr><tr><td>  6a5db2fe1deabd14864a8d908169e4842c611581bdc3357fa597a8fbbc37baf6</td><td>  SHA256</td><td>  Decrypted Mekotio banking trojan</td></tr><tr><td>  3cd99dd0981c76e5a7b9[.]doomdns[.]com </td><td>  Domain</td><td>  Mekotio example DGA domain</td></tr><tr><td>  4e342df890dd9fb169e0[.]doomdns[.]com</td><td>  Domain</td><td>  Mekotio example DGA domain</td></tr><tr><td>  177.235.219[.]126</td><td>  IP</td><td>  Mekotio fallback C2 server</td></tr><tr><td>  https://api.cacher[.]io/raw/484822a63a80cb632f44/3b169ddbbaa8dcf4255c/my</td><td>  URL</td><td>  Mekotio component download URL</td></tr><tr><td>  https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire.txt?alt=media&token=096bbc3c-d9eb-4010-a8c7-36d51874bff7 </td><td>  URL</td><td>  Mekotio component download URL</td></tr><tr><td>  https://firebasestorage[.]googleapis[.]com/v0/b/drop-a82ec.appspot.com/o/fire?alt=media&token=8c582627-8a00-4e3d-9bc5-9b657ad0f135</td><td>  URL</td><td>  Mekotio component download URL</td></tr></tbody></table><div class="table-scroll-help-text"><span>Scroll to view full table </span></div></figure> <p></p> </body></html> <div id="nc_pixel"></div><div class="post__tags"> <a href="https://securityintelligence.com/tag/ibm-x-force-research/" rel="tag">IBM X-Force Research</a><span> | </span><a href="https://securityintelligence.com/tag/latin-america/" rel="tag">Latin America</a><span> | </span><a href="https://securityintelligence.com/tag/malware/" rel="tag">Malware</a><span> | </span><a href="https://securityintelligence.com/tag/phishing/" rel="tag">Phishing</a><span> | </span><a href="https://securityintelligence.com/tag/threat-intelligence-2/" rel="tag">Threat Intelligence</a><span> | </span><a href="https://securityintelligence.com/tag/x-force/" rel="tag">X-Force</a></div> <div class="post__author author "> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2021/06/Golo-Mühr-Headshot.png);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/golo-muhr/" >Golo Mühr</a></div> <div class="author__role">X-Force Threat Intelligence, IBM</div> </div> </div> <div class="author__box"> <div class="author__photo" style="background-image: url(https://securityintelligence.com/wp-content/uploads/2020/04/profile-pic-2.jpg);"></div> <div class="author__infos"> <div class="author__name"><a href="https://securityintelligence.com/author/melissa-frydrych/">Melissa Frydrych</a></div> <div class="author__role">Threat Hunt Researcher, IBM</div> </div> </div> </div>  </main> </div> </div> <aside class="grid__sidebar post__sidebar "> <div class="mobile_divider"></div> <header class="post__sidebar__header">POPULAR</header>  <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/what-telegrams-recent-policy-shift-means-for-cyber-crime/" aria-label="What Telegram’s recent policy shift means for cyber crime"> <div class="article__img"> <amp-img alt="" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/A-dark-mystery-hand-typing-on-a-laptop-computer-at-night-630x330.jpeg.webp"> <amp-img fallback alt="" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/A-dark-mystery-hand-typing-on-a-laptop-computer-at-night-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/risk-management/" aria-label="https://securityintelligence.com/category/topics/risk-management/"> Risk Management </a>  <span class="article__date"> November 6, 2024 </span>  <a href="https://securityintelligence.com/articles/what-telegrams-recent-policy-shift-means-for-cyber-crime/" class="article__content_link" aria-label="What Telegram’s recent policy shift means for cyber crime"> <h2 class="article__title">What Telegram’s recent policy shift means for cyber crime</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/articles/communication-platforms-major-role-in-data-breach-risks/" aria-label="Communication platforms play a major role in data breach risks"> <div class="article__img"> <amp-img alt="Looking over the shoulder of a businessman sitting at a desk on a video conference call" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Virtual-Video-Conference-Call-Meeting-630x330.jpeg.webp"> <amp-img fallback alt="Looking over the shoulder of a businessman sitting at a desk on a video conference call" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Virtual-Video-Conference-Call-Meeting-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/data-protection/" aria-label="https://securityintelligence.com/category/topics/data-protection/"> Data Protection </a>  <span class="article__date"> November 19, 2024 </span>  <a href="https://securityintelligence.com/articles/communication-platforms-major-role-in-data-breach-risks/" class="article__content_link" aria-label="Communication platforms play a major role in data breach risks"> <h2 class="article__title">Communication platforms play a major role in data breach risks</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools. When it… </p> </a> </div> </article> <article class="article article_grid article__mobile--card">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/posts/autonomous-security-for-cloud-in-aws/" aria-label="Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future"> <div class="article__img"> <amp-img alt="Side view of a male sitting at a desk working on a computer in an office" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Side-view-of-focused-male-developer-coding-on-computer-while-sitting-at-working-at-office-630x330.jpeg.webp"> <amp-img fallback alt="Side view of a male sitting at a desk working on a computer in an office" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Side-view-of-focused-male-developer-coding-on-computer-while-sitting-at-working-at-office-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <a class="article__category_link" href="https://securityintelligence.com/category/topics/cloud-protection/" aria-label="https://securityintelligence.com/category/topics/cloud-protection/"> Cloud Security </a>  <span class="article__date"> November 14, 2024 </span>  <a href="https://securityintelligence.com/posts/autonomous-security-for-cloud-in-aws/" class="article__content_link" aria-label="Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future"> <h2 class="article__title">Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future</h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 3</span> <span class="rt-label rt-postfix">min read</span></span> - </span>As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is… </p> </a> </div> </article>  <div class="billboard_wrapper"> <a href="https://www.ibm.com/reports/data-breach?utm_medium=OSocial&utm_source=Blog&utm_content=RSRWW&utm_id=si-blog-right-rail " aria-label="A SPONSORED flag "> <amp-img layout='responsive' widht='300' height='250' src="https://securityintelligence.com/wp-content/uploads/2024/07/SIB_CODB_rightrail_banners2024-think_600x1200.png" alt="CODB right rail banner with red, blue, & purple lines in a wide circular pattern"> </amp-img> </a> </div> </aside> </div> <script> const kaltura = document.querySelectorAll("[data-widget=\"videoplayer\"]") if (kaltura != null) { kaltura.forEach(function(item){ const kId = item.id + '--' + item.dataset.videoid; document.getElementById(item.id).id = kId; getKalturaVideo(item); }) } </script> <div class="card_container_background "> <section class="container cards"> <h3>More from Threat Intelligence</h3> <div class="cards__wrapper"> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/"> <div class="article__img"> <amp-img alt="closeup on a digital screen with a red envelope & the word phishing in yellow & 2 yellow warning symbols" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg.webp"> <amp-img fallback alt="closeup on a digital screen with a red envelope & the word phishing in yellow & 2 yellow warning symbols" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/11/Phishing.-financial-concept.-Digital-payments-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> November 12, 2024 </span> </div>  <a href="https://securityintelligence.com/x-force/strela-stealer-todays-invoice-tomorrows-phish/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Strela Stealer: Today’s invoice is tomorrow’s phish </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 12</span> <span class="rt-label rt-postfix">min read</span></span> - </span>As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu-linux-systems/"> <div class="article__img"> <amp-img alt="Closeup on a red computer screen displaying code covered by a large ALERT message" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/07/computer-security-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a red computer screen displaying code covered by a large ALERT message" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/07/computer-security-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> September 26, 2024 </span> </div>  <a href="https://securityintelligence.com/news/fysa-critical-rce-flaw-in-gnu-linux-systems/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> FYSA – Critical RCE Flaw in GNU-Linux Systems </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 2</span> <span class="rt-label rt-postfix">min read</span></span> - </span>Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,… </p> </div> </a> </div> </article> <article class="article article--card cards__article_grid ">  <a class="exclusive_article__category_link" href="https://securityintelligence.com/x-force/hive0137-on-ai-journey/"> <div class="article__img"> <amp-img alt="Closeup on a pair of silver metallic robot hands typing on a keyboard" width="1200" height="630" layout="responsive" src="/wp-content/webp-express/webp-images/doc-root/wp-content/uploads/2024/07/Ai-working-with-keyboard-630x330.jpeg.webp"> <amp-img fallback alt="Closeup on a pair of silver metallic robot hands typing on a keyboard" width="1200" height="630" layout="responsive" src="https://securityintelligence.com/wp-content/uploads/2024/07/Ai-working-with-keyboard-630x330.jpeg"> </amp-img> </amp-img> </div> </a>  <div class="article__text_container" style="-webkit-box-orient: vertical;">  <div class="article__eyebrow"> <span class="article__date"> July 26, 2024 </span> </div>  <a href="https://securityintelligence.com/x-force/hive0137-on-ai-journey/" class="article__content_link"> <div class="article__direction"> <h2 class="article__title"> Hive0137 and AI-supplemented malware distribution </h2> <p class="article__excerpt" style="-webkit-box-orient: vertical;"> <span class="article__read_time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 12</span> <span class="rt-label rt-postfix">min read</span></span> - </span>IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former… </p> </div> </a> </div> </article> </div> </section> </div>  <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/version/v1.31.0-rc.0/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/latest/cta-section.min.js"></script> <script type="module" src="https://1.www.s81c.com/common/carbon-for-ibm-dotcom/tag/v1/next/cta-section.min.js"></script> <div style="background-color: #161616;"> <dds-cta-section data-autoid="dds--cta-section" children-custom-class="" class="container SI_padding"> <dds-cta-block no-border="" data-autoid="dds--cta-block"> <dds-content-block-heading class="copy" role="heading" aria-level="2" data-autoid="dds--content-block__heading" slot="heading"> <h2 >Topic updates</h2> </dds-content-block-heading> <dds-content-block-copy data-autoid="dds--content-block__copy" size="md" slot="copy"> <dds-content-block-paragraph data-autoid="dds--content-block-paragraph" class="copy"> Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research. </dds-content-block-paragraph> <div role="list" class="list_newletter"> <dds-button-cta data-autoid="dds-cta" cta-style="button" class="copy" cta-type="local" href="https://www.ibm.com/account/reg/us-en/signup?formid=news-urx-51966" kind="primary" icon-layout="" size=""> Subscribe today </dds-button-cta> </div> </dds-content-block-copy> </dds-cta-block> </dds-cta-section> </div> <dds-footer-container></dds-footer-container> <script> document.addEventListener('DOMContentLoaded', () => { const boxstyle = document.querySelector('.button2'); const removePadding = document.querySelector('dds-cta-section'); if (boxstyle) { const shadowRoot = boxstyle.shadowRoot; const bxContentSsectionDOM = shadowRoot.querySelector('.bx--btn'); if (bxContentSsectionDOM) { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.addEventListener('mouseover', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'rgba(141, 141, 141, 0.16)'; // }); // when mouse leave the element bxContentSsectionDOM.addEventListener('mouseout', () => { bxContentSsectionDOM.style.color = 'white'; bxContentSsectionDOM.style.borderColor = 'white'; bxContentSsectionDOM.style.backgroundColor = 'transparent'; // Reset background color }); } } if(removePadding){ const shadowRoot = removePadding.shadowRoot; const removespace = shadowRoot.querySelector('.bx--content-section__leading'); if(removespace){ removespace.style.display = 'none'; } } }); document.querySelector("dds-footer-container").size = 'default'; //Uncomment this to add a custom links. // document.querySelector("dds-footer-container").adjunctLinks = [{ // 'title': 'IBM Custom Link', // 'link': 'https://ibm.com' // }, // { // 'title': 'IBM Custom Link2', // 'link': 'https://ibm.com' // } // ]; </script>  <div style="background-color: #13171a;"> <div class="container">  <section id="footer" class="footer">  <div class="footer__logo"> <amp-img width="280" height="31" layout="responsive" src="https://securityintelligence.com/wp-content/themes/sapphire/images/logo-white.svg" alt="Security Intelligence"></amp-img> </div>  <div class="footer__copy"><p>Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.</p> </div>  <div class="footer__list"> <a href="/news/" class="footer__link">Cybersecurity News</a> <a href="/category/topics/" class="footer__link">By Topic</a> <a href="/category/industries/" class="footer__link">By Industry</a> <a href="/series/" class="footer__link">Exclusive Series</a> <a href="/x-force/" class="footer__link">X-Force</a> <a href="/media/" class="footer__link">Podcast</a> <a href="/events/" class="footer__link">Events</a> <a href="/about-us/" class="footer__link">Contact</a> <a href="/about-us/" class="footer__link">About Us</a> </div>  <div class="footer__social-networks"> <div class="headline">Follow us on social</div> <a href="http://www.twitter.com/ibmsecurity" aria-label="Twitter" class="footer__icon" style="left:-4px;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M24 4.557c-.883.392-1.832.656-2.828.775 1.017-.609 1.798-1.574 2.165-2.724-.951.564-2.005.974-3.127 1.195-.897-.957-2.178-1.555-3.594-1.555-3.179 0-5.515 2.966-4.797 6.045-4.091-.205-7.719-2.165-10.148-5.144-1.29 2.213-.669 5.108 1.523 6.574-.806-.026-1.566-.247-2.229-.616-.054 2.281 1.581 4.415 3.949 4.89-.693.188-1.452.232-2.224.084.626 1.956 2.444 3.379 4.6 3.419-2.07 1.623-4.678 2.348-7.29 2.04 2.179 1.397 4.768 2.212 7.548 2.212 9.142 0 14.307-7.721 13.995-14.646.962-.695 1.797-1.562 2.457-2.549z" /> </svg> </a> <a href="http://www.linkedin.com/company/ibm-security" aria-label="LinkedIn" class="footer__icon" style="justify-self: center;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M4.98 3.5c0 1.381-1.11 2.5-2.48 2.5s-2.48-1.119-2.48-2.5c0-1.38 1.11-2.5 2.48-2.5s2.48 1.12 2.48 2.5zm.02 4.5h-5v16h5v-16zm7.982 0h-4.968v16h4.969v-8.399c0-4.67 6.029-5.052 6.029 0v8.399h4.988v-10.131c0-7.88-8.922-7.593-11.018-3.714v-2.155z" /> </svg> </a> <a href="https://www.youtube.com/@IBMTechnology" aria-label="YouTube" class="footer__icon" style="justify-self: end;"> <svg xmlns="http://www.w3.org/2000/svg" width="28" height="28" viewBox="0 0 28 28" fill="#FFFFFF"> <path d="M19.615 3.184c-3.604-.246-11.631-.245-15.23 0-3.897.266-4.356 2.62-4.385 8.816.029 6.185.484 8.549 4.385 8.816 3.6.245 11.626.246 15.23 0 3.897-.266 4.356-2.62 4.385-8.816-.029-6.185-.484-8.549-4.385-8.816zm-10.615 12.816v-8l8 3.993-8 4.007z" /> </svg> </a> </div> </section> </div> </div> <div style="background-color:black"> <div class="container">  <section class="utility_bar">  <div class="utility_bar__links" aria-label="Footer Navigation"> <a href="http://www.ibm.com?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">© 2024 IBM</a> <a href="https://www.ibm.com/contact/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Contact</a> <a href="https://www.ibm.com/privacy/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Privacy</a> <a href="https://www.ibm.com/legal/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=03001744655915532865554&cm_mc_sid_50200000=84159441565120380187" target="_blank" rel="noopener, noreferrer">Terms of use</a> <a href="https://www.ibm.com/accessibility/?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" rel="noopener, noreferrer">Accessibility</a> <a href="#" onclick="truste.eu.clickListener();return false;" target="_blank" rel="noopener, noreferrer">Cookie Preferences</a> </div>  <div class="utility_bar__sponsor"> <a href="http://ibm.com/security?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US" target="_blank" data-icon="B" class="icon ibm" rel="noopener, noreferrer" style="padding-right:0px"> <span>Sponsored by <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 31.97 14.06"> <defs> <style> .cls-1 { fill: #fff; } </style> </defs> <title>si-icon-eightbarfeature</title> <path class="cls-1" d="M27.17,12.6h4.21v.84H27.17Zm0-1.68h4.21v.84H27.17Zm0-1.68h2.52v.84H27.17Zm0-1.69h2.52V8.4H27.17Zm0-1.68h2.52v.84H27.17Zm-.84-4.2.28-.85h4.77v.85Zm-.56,1.68.29-.84h5.32v.84ZM25.22,5l.28-.84h4.19V5Zm-.56,1.68L25,5.87h2.22l-.27.84Zm0,6.73-.28-.84H25Zm-.55-1.68-.29-.84H25.5l-.28.84Zm-.56-1.68-.27-.84H26l-.27.84ZM23,8.4l-.29-.85h3.9l-.28.85Zm-.57-1.69-.27-.84h2.22l.28.84Zm-2.8,2.53h2.53v.84H19.63Zm0-1.69h2.53V8.4H19.63Zm0-1.68h2.53v.84H19.63Zm0-.84V4.19h4.19l.29.84ZM18,12.6h4.21v.84H18Zm0-1.68h4.21v.84H18Zm0-7.57V2.51h5.32l.28.84Zm0-1.68V.82h4.76l.29.85ZM14.16,9.24H17a2.23,2.23,0,0,1,.07.37,2.49,2.49,0,0,1,0,.47H14.16Zm0-5h2.95a2.38,2.38,0,0,1,0,.46A2.18,2.18,0,0,1,17,5H14.16ZM9.11,9.24h2.52v.84H9.11Zm0-1.69H16a5,5,0,0,1,.4.4,2,2,0,0,1,.32.45H9.11Zm0-1.68h7.57a2,2,0,0,1-.32.45,4.89,4.89,0,0,1-.4.39H9.11Zm0-1.68h2.52V5H9.11ZM7.42,12.6H16a3.09,3.09,0,0,1-1,.62,3.73,3.73,0,0,1-1.32.22H7.42Zm0-1.68H17a2.47,2.47,0,0,1-.15.46,2.24,2.24,0,0,1-.21.38H7.42Zm0-8.41h9.22a1.91,1.91,0,0,1,.21.38,2.47,2.47,0,0,1,.15.46H7.42Zm0-1.69H13.6a3.73,3.73,0,0,1,1.32.23,3.09,3.09,0,0,1,1,.62H7.42Zm-5,8.42H4.9v.84H2.38Zm0-1.69H4.9V8.4H2.38Zm0-1.68H4.9v.84H2.38Zm0-1.68H4.9V5H2.38ZM.69,12.6H6.58v.84H.69Zm0-1.68H6.58v.84H.69Zm0-8.41H6.58v.84H.69ZM.69.82H6.58v.85H.69Z" /> </svg> </span> </a> </div> </section> </div> </div> <script> </script>  <script type="text/javascript" id="qppr_frontend_scripts-js-extra"> /* <![CDATA[ */ var qpprFrontData = {"linkData":{"https:\/\/securityintelligence.com\/defining-security-intelligence\/":[0,0,"https:\/\/securityintelligence.com\/defintion-security-intelligence\/#.VS_NwpNnuZA"],"https:\/\/securityintelligence.com\/security-vulnerability-management-its-about-outcomes-not-activity\/":[0,0,""]},"siteURL":"https:\/\/securityintelligence.com","siteURLq":"https:\/\/securityintelligence.com"}; /* ]]> */ </script> <script type="text/javascript" src="https://securityintelligence.com/wp-content/plugins/quick-pagepost-redirect-plugin/js/qppr_frontend_script.min.js?ver=5.2.4" id="qppr_frontend_scripts-js"></script> <script> setTimeout(() => { document.querySelector(".related_content").style.visibility = 'visible'; document.querySelector(".related_content.article.article_grid.article__mobile--card.article--IBM_blog > c4d-card > c4d-card-footer").shadowRoot.querySelector("#link").style.justifyContent = 'flex-start'; }, 100); </script> </body> </html>

CINXE.COM

Hive0147 serving juicy Picanha with a side of Mekotio - Security Intelligence