A newly noticed banking trojan has been caught leveraging legit platforms like YouTube and Pastebin to retailer its encrypted, distant configuration and commandeer contaminated Home windows programs, making it the most recent to affix the long list of malware focusing on Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.
The risk actor behind this malware household — dubbed “Numando” — is believed to have been lively since at the least 2018.
“[Numando brings] fascinating new strategies to the pool of Latin American banking trojans’ tips, like utilizing seemingly ineffective ZIP archives or bundling payloads with decoy BMP photographs,” ESET researchers said in a technical evaluation revealed on Friday. “Geographically, it focuses virtually solely on Brazil with uncommon campaigns in Mexico and Spain.”
Written in Delphi, the malware comes with an array of backdoor capabilities that enable it to regulate compromised machines, simulate mouse and keyboard actions, restart and shutdown the host, show overlay home windows, seize screenshots, and terminate browser processes. Numando is “virtually solely” propagated by spam campaigns, ensnaring a number of hundred victims up to now, based on the cybersecurity agency’s telemetry information.
The assaults start with a phishing message that comes embedded with a ZIP attachment containing an MSI installer, which, in flip, features a cupboard archive with a legit utility, an injector, and an encrypted Numando banking trojan DLL. Executing the MSI results in the execution of the appliance, inflicting the injector module to be side-loaded and decrypt the final-stage malware payload.
In an alternate distribution chain noticed by ESET, the malware takes the type of a “suspiciously massive” however legitimate BMP picture file, from which the injector extracts and executes the Numando banking trojan. What makes the marketing campaign stand out is its use of YouTube video titles and descriptions — now taken down — to retailer the distant configuration such because the IP deal with of the command-and-control server.
“[The malware] makes use of faux overlay home windows, incorporates backdoor performance, and makes use of MSI [installer],” the researchers mentioned. “It’s the solely LATAM banking trojan written in Delphi that makes use of a non-Delphi injector and its distant configuration format is exclusive, making two dependable elements when figuring out this malware household.”