A New Banking Trojan Concentrating on Latin American Customers


Banking Trojan

A newly noticed banking trojan has been caught leveraging reputable platforms like YouTube and Pastebin to retailer its encrypted, distant configuration and commandeer contaminated Home windows methods, making it the newest to affix the long list of malware concentrating on Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.

The risk actor behind this malware household — dubbed “Numando” — is believed to have been energetic since no less than 2018.

“[Numando brings] fascinating new strategies to the pool of Latin American banking trojans’ methods, like utilizing seemingly ineffective ZIP archives or bundling payloads with decoy BMP photos,” ESET researchers said in a technical evaluation revealed on Friday. “Geographically, it focuses virtually solely on Brazil with uncommon campaigns in Mexico and Spain.”

Written in Delphi, the malware comes with an array of backdoor capabilities that permit it to manage compromised machines, simulate mouse and keyboard actions, restart and shutdown the host, show overlay home windows, seize screenshots, and terminate browser processes. Numando is “virtually solely” propagated by spam campaigns, ensnaring a number of hundred victims to this point, based on the cybersecurity agency’s telemetry knowledge.

Banking Trojan

The assaults start with a phishing message that comes embedded with a ZIP attachment containing an MSI installer, which, in flip, features a cupboard archive with a reputable utility, an injector, and an encrypted Numando banking trojan DLL. Executing the MSI results in the execution of the appliance, inflicting the injector module to be side-loaded and decrypt the final-stage malware payload.

Prevent Data Breaches

In an alternate distribution chain noticed by ESET, the malware takes the type of a “suspiciously massive” however legitimate BMP picture file, from which the injector extracts and executes the Numando banking trojan. What makes the marketing campaign stand out is its use of YouTube video titles and descriptions — now taken down — to retailer the distant configuration such because the IP handle of the command-and-control server.

“[The malware] makes use of faux overlay home windows, accommodates backdoor performance, and makes use of MSI [installer],” the researchers stated. “It’s the solely LATAM banking trojan written in Delphi that makes use of a non-Delphi injector and its distant configuration format is exclusive, making two dependable components when figuring out this malware household.”


Source link