Security News > 2021 > September > Numando: A New Banking Trojan Targeting Latin American Users
A newly spotted banking trojan has been caught leveraging legitimate platforms like YouTube and Pastebin to store its encrypted, remote configuration and commandeer infected Windows systems, making it the latest to join the long list of malware targeting Latin America after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.
" interesting new techniques to the pool of Latin American banking trojans' tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images," ESET researchers said in a technical analysis published on Friday.
Written in Delphi, the malware comes with an array of backdoor capabilities that allow it to control compromised machines, simulate mouse and keyboard actions, restart and shutdown the host, display overlay windows, capture screenshots, and terminate browser processes.
Numando is "Almost exclusively" propagated by spam campaigns, ensnaring several hundred victims to date, according to the cybersecurity firm's telemetry data.
The attacks begin with a phishing message that comes embedded with a ZIP attachment containing an MSI installer, which, in turn, includes a cabinet archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. Executing the MSI leads to the execution of the application, causing the injector module to be side-loaded and decrypt the final-stage malware payload. In an alternate distribution chain observed by ESET, the malware takes the form of a "Suspiciously large" but valid BMP image file, from which the injector extracts and executes the Numando banking trojan.
"It is the only LATAM banking trojan written in Delphi that uses a non-Delphi injector and its remote configuration format is unique, making two reliable factors when identifying this malware family."
News URL
Related news
- Banking Trojans Target Latin America and Europe Through Google Cloud Run (source)
- New Banking Trojan CHAVECLOAK Targets Brazilian Users via Phishing Tactics (source)
- PixPirate Android Banking Trojan Using New Evasion Tactic to Target Brazilian Users (source)
- Vultur Android Banking Trojan Returns with Upgraded Remote Control Capabilities (source)