A newly spotted banking trojan has been caught leveraging authentic platforms like YouTube and Pastebin to retail store its encrypted, remote configuration and commandeer contaminated Windows methods, making it the hottest to be part of the very long listing of malware focusing on Latin America (LATAM) immediately after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.
The menace actor at the rear of this malware household — dubbed “Numando” — is believed to have been lively because at minimum 2018.
“[Numando brings] interesting new procedures to the pool of Latin American banking trojans’ tips, like applying seemingly worthless ZIP archives or bundling payloads with decoy BMP photos,” ESET scientists explained in a complex assessment revealed on Friday. “Geographically, it focuses practically solely on Brazil with unusual strategies in Mexico and Spain.”
Prepared in Delphi, the malware arrives with an array of backdoor capabilities that permit it to manage compromised machines, simulate mouse and keyboard steps, restart and shutdown the host, show overlay home windows, capture screenshots, and terminate browser processes. Numando is “virtually solely” propagated by spam campaigns, ensnaring various hundred victims to day, according to the cybersecurity firm’s telemetry facts.
The assaults begin with a phishing concept that comes embedded with a ZIP attachment made up of an MSI installer, which, in turn, features a cupboard archive with a respectable application, an injector, and an encrypted Numando banking trojan DLL. Executing the MSI prospects to the execution of the software, causing the injector module to be facet-loaded and decrypt the ultimate-phase malware payload.
In an alternate distribution chain observed by ESET, the malware normally takes the sort of a “suspiciously substantial” but valid BMP picture file, from which the injector extracts and executes the Numando banking trojan. What makes the campaign stand out is its use of YouTube online video titles and descriptions — now taken down — to keep the remote configuration these as the IP deal with of the command-and-management server.
“[The malware] makes use of phony overlay home windows, has backdoor features, and makes use of MSI [installer],” the scientists mentioned. “It is the only LATAM banking trojan prepared in Delphi that makes use of a non-Delphi injector and its distant configuration structure is special, earning two reputable components when figuring out this malware relatives.”