Security News > 2020 > October > LatAm Banking Trojans Collaborate in Never-Before-Seen Effort

Virus Bulletin 2020 - A loose affiliation of cybercriminals are working together to author and distribute multiple families of banking trojans in Latin America - a collaborative effort that researchers say is highly unusual.

Multiple, distinct malware families have plagued Latin American banking customers for years - the variants include Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist and Zumanek, according to ESET. In examining these families over time, ESET researchers began to notice "Some similarities between multiple families in our series, such as using the same uncommon algorithm to encrypt strings or suspiciously similar DGAs to obtain C2 server addresses," according to a Thursday analysis.

The trojans also share "Practically identical implementation[s] of the banking trojans' cores," including sending notifications to operators, periodically scanning active windows based on name or title and using carefully designed pop-up windows designed to mimic banking apps and harvest information.

Most Latin American banking trojans also share execution methods, including DLL side-loading of the same set of vulnerable software applications, and abusing a legitimate AutoIt interpreter.

"Since we believe it is impossible for 11 different authors to have come up with so many common ideas and we don't believe that one group is deliberately maintaining 11 different families at the same time, we conclude that the authors of these banking trojans communicate with each other," he said.

News URL

https://threatpost.com/latam-banking-trojans-collaborate/159792/