{"id":10,"date":"2021-12-21T22:48:54","date_gmt":"2021-12-21T22:48:54","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=10"},"modified":"2021-12-21T22:48:54","modified_gmt":"2021-12-21T22:48:54","slug":"mekotio-distribution-campaign-targeting-latam","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2021\/12\/21\/mekotio-distribution-campaign-targeting-latam\/","title":{"rendered":"Mekotio distribution campaign targeting LATAM"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><a>Overview<\/a><\/h2>\n\n<p>&nbsp;<\/p>\n\n<p>The following report describes the identified TTPs and IOCs of a campaign that is distributing the Mekotio banking trojan in LATAM. It was identified and analyzed by SCILabs while conducting a threat hunting during the third week of September and has been monitored in the last days by the team. This trojan aims to steal information from multiple banking institutions using fake forms to impersonate original sites and capture bank credentials, in addition the trojan also seeks to hijack cryptocurrency transactions by replacing wallets copied to the clipboard by the cybercriminals&#8217; wallet.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>During the investigation, no further details were obtained about how this campaign is being delivered; however, based on the evidence collected, SCILabs considers the use of phishing by email and websites as the main<a href=\"https:\/\/infochannel.info\/aumentan-ataques-de-phishing-60-en-mexico-sophos\/\" data-type=\"URL\" data-id=\"https:\/\/infochannel.info\/aumentan-ataques-de-phishing-60-en-mexico-sophos\/\"> initial attack vectors<\/a> with a high level of confidence. On the other hand, this report will show the analysis of each of the elements of the campaign, which, based on the telemetry of SCILabs, its modus operandi supplants the name of Mexican and Chilean tax institutions such as: <em>Secretar\u00eda de Administraci\u00f3n Tributaria<\/em> (<em>SAT<\/em>) and <em>Servicio de Impuestos Internos<\/em> (<em>SII<\/em>), to be used as a pretext in phishing emails.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>After analyzing the campaign and the artifacts, SCILabs determined with high confidence that the attacker&#8217;s general objective is to install the banking Trojan on common users&#8217; machines, to steal user information in LATAM, particularly Chile and Mexico.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>Additionally, with the intelligence of SCILabs and the information obtained from public and private sources, it is possible to determine that the campaign has the potential to begin to spread in other countries of LATAM, expanding the banking institutions it is targeting due to its versatility and the rapid evolution of its TTPs.<\/p>\n<h2><a>How could it affect an organization?<\/a><\/h2>\n\n<p>&nbsp;<\/p>\n\n<p>The campaign has the potential to financially affect an organization because Mekotio&#8217;s main objective is to steal bank information from users. In addition, during the analysis of the trojan, some capabilities were found to drop other types of malicious artifacts on demand, so, it could be combined with other types of malwares such as ransomware. This could make the organization&#8217;s information assets subject to unauthorized viewing, hijacking, and data leakage. Considering that the trojan has evolved its TTPs compared to previous campaigns to make it difficult to detect and analyze, it is important to be aware of these types of threats.<\/p>\n\n<p>&nbsp;<\/p>\n\n<h2 class=\"wp-block-heading\"><a>Analysis<\/a><\/h2>\n\n<p>&nbsp;<\/p>\n\n<h3 class=\"wp-block-heading\">Threat Context<\/h3>\n\n<p>&nbsp;<\/p>\n\n<p>During the threat hunting process, three artifacts were identified that share similar behavior. SCILabs analyzed and investigated each of the items to determine if they were part of the same campaign. Based on the research carried out by SCILabs we consider with a high level of confidence, that Mekotio&#8217;s distribution campaign in Mexico is by means of phishing email trying to supplant the<em> Secretar\u00eda de Administraci\u00f3n Tributaria<\/em> (<em>SAT<\/em>) and with a medium level of confidence that the campaign directed to Chile is through an apocryphal site of the <a href=\"https:\/\/twitter.com\/KingRondeforr\/status\/1435246232646078472\" data-type=\"URL\" data-id=\"https:\/\/twitter.com\/KingRondeforr\/status\/1435246232646078472\"><em>Servicio de Inpuestos Internos<\/em> (<em>SII<\/em>)<\/a>.<\/p>\n\n<p>&nbsp;<\/p>\n\n<figure class=\"wp-block-image\">\n<figure id=\"attachment_18\" aria-describedby=\"caption-attachment-18\" style=\"width: 324px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-18 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2021\/12\/wp1.png\" alt=\"\" width=\"324\" height=\"389\" \/><figcaption id=\"caption-attachment-18\" class=\"wp-caption-text\">Figure 1 &#8211; Phishing email impersonating the SAT<\/figcaption><\/figure>\n<img class=\"aligncenter\" alt=\"\" \/><\/figure>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<h3 class=\"wp-block-heading\">Attack flow<\/h3>\n\n<p>&nbsp;<\/p>\n\n<h4 class=\"wp-block-heading\"><strong>Campaign directed to Mexico<\/strong><\/h4>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<h4 class=\"wp-block-heading\"><strong>Campaign directed to Chile<\/strong><\/h4>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<h3 class=\"wp-block-heading\">Malware analysis<\/h3>\n\n<p>&nbsp;<\/p>\n\n<p>As a result of the analysis of the artifacts carried out, SCILabs determined that the campaigns targeting Mexico and Chile use two different versions of the Mekotio trojan. The main difference between the versions is that the artifact aimed at Chile contains within it the MSI file the three files necessary to run the banking trojan, instead of downloading them as in the version aimed at Mexico, however, they share some capabilities that are listed below:<\/p>\n\n<p>&nbsp;<\/p>\n\n<ul class=\"wp-block-list\">\n<li>AntiSandbox capabilities<\/li>\n<li>Packaged banking trojan DLL<\/li>\n<li>Obtaining information from the operating system and architecture<\/li>\n<li>Detection of active open windows and the deployment of embedded resources according to the institution from which the malware will steal the information<\/li>\n<li>Clipboard hijacking<\/li>\n<li>Theft of bank information<\/li>\n<\/ul>\n\n<p>&nbsp;<\/p>\n\n<p>The MSI files of the malware were analyzed and in the case of the artifacts directed to Mexico, it was possible to observe the download URL that contains the AutoHotkey executable, its script, and the DLL of the Mekotio trojan. In the case of the artifact directed to Chile, it was found that the malicious devices are within the MSI file.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>Also, the necessary conditions for the malicious MSI file to be executed were obtained, of which mainly the following were observed:<\/p>\n\n<p>&nbsp;<\/p>\n\n<ul class=\"wp-block-list\">\n<li>The MSI file cannot be executed on computers that have names such as: JOHN-PC, LISA-PC, SVIARTA, among others<\/li>\n<li>The MSI file cannot be run in virtualized or SANDBOX environments<\/li>\n<li>The MSI file can be run only if there is an Internet connection<\/li>\n<\/ul>\n\n<p>&nbsp;<\/p>\n\n<p>The MSI file cannot run on Windows 9x versions<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>It is important to mention that once the MSI file verifies that the conditions to be executed are met, it drops a <strong>xy.txt<\/strong> or <strong>ko.txt<\/strong> file in the <strong>C:\\ProgramData<\/strong> directory that serves as a verification flag to continue with the infection.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>One of the characteristics to highlight within the custom actions of the MSI file of the campaign directed to Mexico is that it contains obfuscated JavaScript code that fulfills the following functions:<\/p>\n\n<p>&nbsp;<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Verify that the compiled folder that was downloaded by the MSI file exists in the <strong>C:\\ProgramData\\%RandomName%<\/strong> directory and that it contains the malicious artifacts of the Mekotio trojan<\/li>\n<li>Extract and rename the artifacts<\/li>\n<li>Delete the downloaded compressed folder<\/li>\n<li>Create the <strong>btdae<\/strong> file to validate if there is a previous infection on the computer in case the MSI file is executed more than once<\/li>\n<li>Create the registry key in <strong>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\%RandomName%<\/strong> to generate persistence<\/li>\n<li>Run the AutoHotKey file to load the Mekotio trojan DLL into memory<\/li>\n<\/ul>\n\n<p>&nbsp;<\/p>\n\n<p>All operations are performed through ActiveXObject instances.<\/p>\n\n<p>&nbsp;<\/p>\n\n<figure id=\"attachment_28\" aria-describedby=\"caption-attachment-28\" style=\"width: 568px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-28 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2021\/12\/wp8.png\" alt=\"\" width=\"568\" height=\"459\" \/><figcaption id=\"caption-attachment-28\" class=\"wp-caption-text\">Figure 8 &#8211; Obfuscated Javascript Code Fragment<\/figcaption><\/figure>\n\n<p>&nbsp;<\/p>\n\n<p>At the end of the infection process, the victim&#8217;s computer is rebooted to run the .ahk script later through the AutoHotKey executable and load the Mekotio trojan DLL into memory. In the case of the campaign directed at Chile, the victim machine is not rebooted, and the trojan is executed immediately after infection.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>Once the trojan is loaded into memory, the flag [%month-year%].txt file is generated in the path C:\\ProgramData. The trojan waits for the user to open an internet browser to generate a sub-process that will oversee displaying apocryphal windows trying to impersonate banking institutions. Once the user enters a banking page, a nod32.block file is generated, communication with the C2 site begins and artifacts related to apocryphal Windows are dropped in the path C:\\ProgramData\\%BankingInstitution%.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>An important feature found during the analysis carried out by SCILabs is that the trojan can replace the contents of the clipboard. With a medium level of confidence, we consider that when a cryptocurrency wallet is copied, it is replaced by that of a cybercriminal.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>Cybercriminal Wallet:<strong> 18MvuBqbvrb6E4KseC91YRFjYNBKfcVp5f<\/strong><\/p>\n\n<p>&nbsp;<\/p>\n\n<p>It is essential to mention that based on the analysis carried out by SCILabs, with a medium level of confidence, we consider that the Mekotio trojan c2 sites can detect connections through VPN and geolocation to prevent the trojan from being executed in unwanted locations, in addition, the ability to download artifacts on demand was identified. During this analysis a batch file that eliminates the DLL of the Mekotio trojan was downloaded.<\/p>\n\n<p>&nbsp;<\/p>\n\n<figure class=\"wp-block-image\">\n<figure id=\"attachment_31\" aria-describedby=\"caption-attachment-31\" style=\"width: 679px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-31 size-full\" src=\"https:\/\/blog.scilabs.mx\/en2\/wp-content\/uploads\/sites\/3\/2021\/12\/wp11.png\" alt=\"\" width=\"679\" height=\"211\" \/><figcaption id=\"caption-attachment-31\" class=\"wp-caption-text\">Figure 11 Artifact downloaded on demand<\/figcaption><\/figure>\n<img alt=\"\" \/>\n<figcaption><\/figcaption>\n<\/figure>\n\n<p>&nbsp;<\/p>\n\n<h2 class=\"wp-block-heading\">Most significant changes in Mekotio campaigns<\/h2>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>After the previous campaigns, SCILabs continued to monitor the behavior of the Trojan in the region, and we identified that Mekotio can abuse legitimate software such as VirtualBox Guest Additions Tray Application and Disc Soft Bus Service Pro, from DAEMON Tools, to load itself into memory. In addition, the malware is accompanied by some legitimate DLLs, such as sptdintf.dll, ipworksedi20.dll, ssleay32.dll, or libeay32.dll, as observed in <a href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/ESET_LATAM_financial_cybercrime.pdf\" data-type=\"URL\" data-id=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/09\/ESET_LATAM_financial_cybercrime.pdf\">other<\/a> <a href=\"https:\/\/seguranca-informatica.pt\/latin-american-javali-trojan-weaponizing-avira-antivirus-legitimate-injector-to-implant-malware\/\" data-type=\"URL\" data-id=\"https:\/\/seguranca-informatica.pt\/latin-american-javali-trojan-weaponizing-avira-antivirus-legitimate-injector-to-implant-malware\/\">similar analyzes<\/a>.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>SCILabs identified that the cybercriminals behind Mekotio are capable of constantly evolving their TTPs.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>During the monitoring in the region, SCILabs managed to identify the use of compressed \u201c.bat\u201d files to distribute the Trojan.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>In addition, a PowerShell script to verify the geolocation of the victim, which must correspond to Brazil, Chile, Mexico, Spain, and Peru, validates if it is running in a virtualized environment and download the artifacts necessary to carry out the infection.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>Below, we present the attack flow of the last identified campaign.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>Based on the evidence found, SCILabs hypothesizes that the cybercriminals behind the threat are Brazilians due to the typical Brazilian jargon used in the source code of their artifacts.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>&nbsp;<\/p>\n\n<h3 class=\"wp-block-heading\"><a>TTPs observed aligned to MITRE\u2019s ATT&amp;CK framework<\/a><\/h3>\n\n<p>&nbsp;<\/p>\n\n<p>Below is the MITRE matrix based on the banking trojan campaign:<\/p>\n\n<p>&nbsp;<\/p>\n\n<figure class=\"wp-block-table is-style-stripes\">\n<table style=\"height: 998px;\" width=\"954\">\n<thead>\n<tr>\n<td><strong>Initial Access<\/strong><\/td>\n<td><strong>Execution<\/strong><\/td>\n<td><strong>Persistence<\/strong><\/td>\n<td><strong>Defense<\/strong> <strong>Evasion<\/strong><\/td>\n<td><strong>Credential<\/strong> <strong>Access<\/strong><\/td>\n<td><strong>Discovery<\/strong><\/td>\n<td><strong>Collection<\/strong><\/td>\n<td><strong>C&amp;C<\/strong><\/td>\n<td><strong>Exfiltration<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>T1566.002 Spear phishing Link<\/td>\n<td>T1059.003 Windows Command Shell<\/td>\n<td>T1547 Boot or Logon Autostart Execution<\/td>\n<td>T1140 Deofuscate\/Decode Files or Information<\/td>\n<td>T1179 Input Capture<\/td>\n<td>T1083 &#8211; File and Directory Discovery<\/td>\n<td>T1056 Input Capture<\/td>\n<td>T1571 Non-Standard Port<\/td>\n<td>T1041 Exfiltration Over C2 Channel<\/td>\n<\/tr>\n<tr>\n<td>\u00a0<\/td>\n<td>T1059.007 JavaScript<\/td>\n<td>\u00a0<\/td>\n<td>T1036 &#8211; Masquerading<\/td>\n<td>\u00a0<\/td>\n<td>T1010 \u2013 Application window discovery<\/td>\n<td>T1115 Clipboard Data<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>\u00a0<\/td>\n<td>T1204.001 Malicious Link<\/td>\n<td>\u00a0<\/td>\n<td>T1027.005 Indicator Removal from Tools<\/td>\n<td>\u00a0<\/td>\n<td>T1082 System Information Discovery<\/td>\n<td>T1005 Data from local system<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>\u00a0<\/td>\n<td>T1204.002 Malicious File<\/td>\n<td>\u00a0<\/td>\n<td>T1027.002 Software Packing<\/td>\n<td>\u00a0<\/td>\n<td>T1614 System Location Discovery<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>T1497 Virtualization\/Sandbox Evasion<\/td>\n<td>\u00a0<\/td>\n<td>T1016.001 Internet Connection Discovery<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>T1112 Modify Registry<\/td>\n<td>\u00a0<\/td>\n<td>T1497.001 System Checks<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>T1012 Query Registry<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<figcaption>Table 1 &#8211; MITRE\u2019s ATT&amp;CK framework of the Banking trojan<\/figcaption>\n<\/figure>\n\n<p>&nbsp;<\/p>\n<hr class=\"wp-block-separator\" \/>\n<p>&nbsp;<\/p>\n\n<h2 class=\"wp-block-heading\"><a>Assessment<\/a><\/h2>\n\n<p>&nbsp;<\/p>\n\n<p>According to SCILabs telemetry, as in other campaigns, it has been observed that many trojans targeting LATAM use common techniques and share some characteristics. They use droppers generally obfuscated in other programming languages; they contain backdoor functionality; they use legitimate tools like AutoHotKey; they use living off the land techniques; rapidly evolve their techniques and dynamically generate malicious artifacts to make their detection and analysis difficult.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>A clear example is the case of the Mekotio Trojan, previous campaigns had been observed where Autoit was used to load the malicious DLL in memory, however, in the last campaigns we can observe that the Trojan began to use AutoHotKey as a loading tool, in addition to add sandbox detection techniques in all phases of infection, packaging and encryption of the artifact strings corresponding to Mekotio and detection of VPN connections and Geolocation in order to make their detection and analysis more difficult.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>During the analysis of these campaigns carried out by SCILabs, a technique that is commonly used by cybercriminals to eliminate their malicious artifacts in case of being detected was detected, downloading tools for this purpose; this capacity could easily be used to combine its functionality with other types of malware, such as ransomware, which could jeopardize the security of organizations&#8217; information assets, that is why it is important to monitor these types of campaigns.<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>It is important to mention that based on SCILabs telemetry, banking Trojans that target the region commonly target users of the most representative banks, trying to trick users with apocryphal windows to steal their confidential information. It is common for the initial attack vector of this type of campaign to be phishing emails or sites that impersonate representative organizations of each country. In Mexico, as we saw in the analysis of this campaign, it is common for an attempt to impersonate the SAT, for what is extremely important to constantly carry out awareness campaigns at all levels of the organization so that users know the social engineering techniques that cybercriminals use to deceive.<\/p>\n\n<p>&nbsp;<\/p>\n\n<h2 class=\"wp-block-heading\">IoC<\/h2>\n\n<p>&nbsp;<\/p>\n\n<p>E262FEBEBFC91330540D721CF2773E53254B29BC669E74785F994C0268A930A3<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>9AF066B849412783F1A6A7FED9AB354CB281858AD22A2570B7F0B63AAAFF18E3<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>D22B4ABE87C3037194FF131747CC732CC8CB754D1828A68CE82D157C36B34F67<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>D4692FB2225C871958994669CFAC40DD26BCBC31674CA7261174B2F790356F27<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>EAC9861E590E1246E3A81D227B5C425B8382C5B259184FBC28C4D0E7BEE98186<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>945ADADA6CF6698B949359D9B395A5F905989D0D1EB84F537DE492ECC1263148<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>CEA3FA8EC56E8BC2DFA4B3DFFEF3E847118734CDF250AC87E423DAE450BA6AE7<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>DBBBA9C48D471E3361882CB41ED716B588B6A112D22C40611EEC9FD52AE65F72<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>A72F2415046908DB8F26DAFB91F98F3DE6D6CFC302A877BD52DA6C845CFA1BA2<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>BC6ADE51046ED777632A5F30FF895E8CDE04910EA6DCA6061B2FE2C7ADFD072B<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>945ADADA6CF6698B949359D9B395A5F905989D0D1EB84F537DE492ECC1263148<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>594236A8F3090FD8FF0D078CE17B3E512CD87FFA37A94F4162BEC9E72BDB0E9E<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>5FE74163D2668B86F559079F981A4ECB5D7E899135A005CB37E013BAC88E6E4F<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>99246C214E12BACD6B6DE328F635AF678CB17078F06B39356A1BC9E3CB98058F<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>93729227D752399266E1118098FD2C417F25D48CA3C45313A8697DA511A22CA8<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>945ADADA6CF6698B949359D9B395A5F905989D0D1EB84F537DE492ECC1263148<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>E5C3F24CAC6ACC208D1B913776B8A5815188CF38CC9D7E81AB2C9612498F6F85<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>40A1B20169FB746D5E0218132C9D5D51C2C8FC7BAA385CAA8C7C317F19DAF0F0<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>D320315812AC19BEEE13063800A0CF8264C1A64242F14608F8687CD6F7A4A5ED<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>945ADADA6CF6698B949359D9B395A5F905989D0D1EB84F537DE492ECC1263148<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>B83413C5C363F8725B5C9EFCCAAA9CDA87724C4998B3A937F84ECE489F1E0F22<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>A921451F6635E5D1CB6C35C07A81FD7DD726B4F1996FE3139A9C1634F8AC991F<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>D36AF74F89DDB6599F1977FDEBF8DBAD64A128BAB6362D2A90E70C89DE25C86F<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>DCBA29F7634A9AD9EFC2468753AF42FAC6D5E0326E0A7F1627E7C9F2AD7D73AF<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>56C8C4E9144EF009102DE62159FEF1BF397A725F6C584BE790F107DEF68515B6<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>50A86C02B5A2A2B1B962284B4DE23C1479AA8717750986B30B750D339245830D<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>945ADADA6CF6698B949359D9B395A5F905989D0D1EB84F537DE492ECC1263148<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>D5C0A23B75BF5ED6E0161DB5A57974864A5EB5738E80804BDD30EEAF6817302E<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>6544F678296B9590A7F6F51FB52BB346EBF75C92D600C2159AB61CB825C772D1<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>A86F736AD7C91999FD33E0A008E0E7CF1E0D5900795499F50578A38D4C1A16FA<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>A322FE07DBB51BE33EE92E7295A9EC7FB1A6996CEF000F2723E5CEEEB81F4A5B<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>945ADADA6CF6698B949359D9B395A5F905989D0D1EB84F537DE492ECC1263148<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>111AD210C0460F6281EF3D5362D7F3110099B0CBEF2E863B4D8F4270A8617FDD<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>C19725BFA6EC88FE87564DE040634072F89AAF28E7E10B2B7E055229CCD5E8AB<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>F9DF0093B5903CBCB735A3E279F9BE2837618D507375323EC5A2E06F48B844E5<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>325A52F9DCCF111325DFAB8D3BDFACB2E87D86DC8A1356E68A5EAE4684F03C37<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>1B1F0E65B97E3E244BAA40C683E0F8D5F6E63718864CCCE4C1C26F0B7C832AD5<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>ACFA710206FE3C68BAF2FC782A7E0F75B13F14A4990837CE8B2F8F83F2D63815<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>DB8002A405F028C2E3538F8AF4ADB51C2E996F687914287BDA02FB2AE85FE80C<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>EAFDC2A09BC696D06218541314110E87EA2DB3440125252C9EEBDAA03A14DA50<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>D0FE2C01297574D7482FBC33FA748863FE5D0C1EE32755128833488E146DDF08<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>BD0B0417BE5C047F9160F8C97E7E10D1313F350235EF235DC6BDEC9D5C4BE877<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>905F6E60A3B7C050EAD74F0F0C7D13CFDCF4415B8E7F6780BDE879985507CEDC<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>E99EBB043992341202F0645D0FCEEF847BCB231973AD42F2D9C6178AD354EC8C<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>FD011CAB980B5F4D18EFEC142AE5C64107E13569866B6688350247C724C12F15<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>2A30FE76A78BF9D1C3B3A731E92E2AEB0197E705BB658A1039B3135AE321E8FA<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>EXODUSWL[.]COM\/WACUWACU\/NOMEPARACOMPILAR[.]PHP<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>HOST[.]COLOCROSSING[.]COM[:]4470<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>GETAMAKEGIFTCARD.COM[:]4498<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>REDRAINBOW[.]DO[:]4439<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>40[.]124[.]76[.]15<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>185[.]66[.]41[.]156<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>20[.]106 [.]166 [.]75<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>PAUNAMAQUINA[.]SERVEBEER[.]COM<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>67[.]21[.]32[.]62<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>20[.]68[.]248[.]170<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>HXXP[:]\/\/20[.]68[.]248[.]170\/?A=Z0DEXUBSWD7FE45T3JHBMMJXCW3DON98P9LY3SRT<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>DEMICK@DEMICK.ADV.BR<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>LZ5[.]DUCKDNS[.]ORG\/?3TMB_<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>HXXP:\/\/WWW[.]CARPINTARIASX[.]COM\/?NIEBB2RGRFMP<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>HXXP[:]\/\/POMPANO1[.]DUCKDNS[.]ORG\/THERE[.]CARE<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>RENATONOMENGAO[.]COM\/SESSION_WORKS_V2<\/p>\n\n<p>&nbsp;<\/p>\n\n<p>LIBRASHOPPNG[.]NE<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview &nbsp; The following report describes the identified TTPs and IOCs of a campaign that is distributing the Mekotio banking<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-10","post","type-post","status-publish","format-standard","hentry","category-cyberactors"],"_links":{"self":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/10","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/comments?post=10"}],"version-history":[{"count":0,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/posts\/10\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/media?parent=10"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/categories?post=10"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.scilabs.mx\/en\/wp-json\/wp\/v2\/tags?post=10"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}