A newly noticed banking trojan has been caught leveraging reputable platforms like YouTube and Pastebin to retailer its encrypted, distant configuration and commandeer contaminated Home windows methods, making it the newest to affix theconcentrating on Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.
The risk actor behind this malware household — dubbed “Numando” — is believed to have been energetic since no less than 2018.
“[Numando brings] fascinating new strategies to the pool of Latin American banking trojans’ methods, like utilizing seemingly ineffective ZIP archives or bundling payloads with decoy BMP photos,” ESET researchersin a technical evaluation revealed on Friday. “Geographically, it focuses virtually solely on Brazil with uncommon campaigns in Mexico and Spain.”
Written in Delphi, the malware comes with an array of backdoor capabilities that permit it to manage compromised machines, simulate mouse and keyboard actions, restart and shutdown the host, show overlay home windows, seize screenshots, and terminate browser processes. Numando is “virtually solely” propagated by spam campaigns, ensnaring a number of hundred victims to this point, based on the cybersecurity agency’s telemetry knowledge.
The assaults start with a phishing message that comes embedded with a ZIP attachment containing an, which, in flip, features a cupboard archive with a reputable utility, an injector, and an encrypted Numando banking trojan DLL. Executing the MSI results in the execution of the appliance, inflicting the injector module to be side-loaded and decrypt the final-stage malware payload.
In an alternate distribution chain noticed by ESET, the malware takes the type of a “suspiciously massive” however legitimate BMP picture file, from which the injector extracts and executes the Numando banking trojan. What makes the marketing campaign stand out is its use of YouTube video titles and descriptions — now taken down — to retailer the distant configuration such because the IP handle of the command-and-control server.
“[The malware] makes use of faux overlay home windows, accommodates backdoor performance, and makes use of MSI [installer],” the researchers stated. “It’s the solely LATAM banking trojan written in Delphi that makes use of a non-Delphi injector and its distant configuration format is exclusive, making two dependable components when figuring out this malware household.”