New Banking Trojan Emerges in South America

ESET cybersecurity researchers have discovered a new banking Trojan called Numando that targets users in Latin America.

New Banking Trojan Emerges in South America
New Banking Trojan Emerges in South America | Image credits: Threatpost

The new strain of banking trojan has been identified to use legitimate websites like Pastebin or YouTube to save their affected commander's Windows systems and remote configurations. Recently, several Trojans have been discovered that aim to steal users' banking data and infect Latin America, according to The Hacker News.

Cybersecurity researchers from ESET have called the new banking malware Numando, and they have stated that the cybercriminal gang behind this malware family has been active for at least three years, according to their findings.

They went on to say "Even though it is not nearly as lively as Mekotio or Grandoreiro, it has been consistently used since we started tracking it, bringing interesting new techniques to the pool of Latin American banking trojans’ tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images. Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain."

The malware was designed to be capable of performing sophisticated hacking operations

The malware's developers chose to write the Trojan in Delphi to better implement some backdoor features, such as running programs, the ability to take full control of infected systems, display overlay windows, take screenshots, terminate browser processes, and shut down or restart the host. According to the cybersecurity company's information, Numando is spread almost exclusively via spam emails and has infected hundreds of people so far.

Victims receive a phishing email containing a ZIP file with an MSI installer that downloads an injector and a real application containing an encrypted Numando banking Trojan DLL in a cabinet archive and then runs the injector and the real application. In order for the malware payload to be decrypted in the final stage, the injector module must be loaded as a byproduct of the MSI execution.

Another distribution chain identified by ESET includes the Numando banking malware, which is allegedly loaded via a strangely large but valid BMP graphic file. The campaign features the use of YouTube video descriptions and titles that include information such as the IP address of the command and control (C&C) server used to save the remote configuration to increase awareness.