Experts uncover a new Banking Trojan targeting Latin American users

guest · Sep 20, 2021

Numando: A New Banking Trojan Targeting Latin American Users
September 19, 2021
https://thehackernews.com/2021/09/numando-new-banking-trojan-targeting.html

A newly spotted banking trojan has been caught leveraging legitimate platforms like YouTube and Pastebin to store its encrypted, remote configuration and commandeer infected Windows systems, making it the latest to join the long list of malware targeting Latin America (LATAM) after Guildma, Javali, Melcoz, Grandoreiro, Mekotio, Casbaneiro, Amavaldo, Vadokrist, and Janeleiro.

The threat actor behind this malware family — dubbed "Numando" — is believed to have been active since at least 2018.

"[Numando brings] interesting new techniques to the pool of Latin American banking trojans' tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images," ESET researchers said in a technical analysis published on Friday. "Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain."
Numando is "almost exclusively" propagated by spam campaigns, ensnaring several hundred victims to date, according to the cybersecurity firm's telemetry data.
Click to expand...

The attacks begin with a phishing message that comes embedded with a ZIP attachment containing an MSI installer, which, in turn, includes a cabinet archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. Executing the MSI leads to the execution of the application, causing the injector module to be side-loaded and decrypt the final-stage malware payload.

In an alternate distribution chain observed by ESET, the malware takes the form of a "suspiciously large" but valid BMP image file, from which the injector extracts and executes the Numando banking trojan.

"[The malware] uses fake overlay windows, contains backdoor functionality, and utilizes MSI [installer]," the researchers said. "It is the only LATAM banking trojan written in Delphi that uses a non-Delphi injector and its remote configuration format is unique, making two reliable factors when identifying this malware family."
Click to expand...

ESET: Numando: Count once, code twice

Conclusion
Numando is a Latin American banking trojan written in Delphi. It targets mainly Brazil with rare campaigns in Mexico and Spain. It is similar to the other families described in our series – it uses fake overlay windows, contains backdoor functionality and utilizes MSI.

We have covered its most typical features, distribution methods and remote configuration. It is the only LATAM banking trojan written in Delphi that uses a non-Delphi injector and its remote configuration format is unique, making two reliable factors when identifying this malware family.
Click to expand...

Rasheed187 · Sep 21, 2021

Interesting, so this banking trojan is not using direct code injection, but seems to use DLL sideloading? What's also not clear to me is which legitimate app it's trying to hijack. But like I said numerous of times, the best defense is to use an online bank that provides 2FA via hardware based security tokens like from OneSpan and RSA SecurID. It's weird as hell that many banks and brokers don't offer this.

https://www.onespan.com/resources/digipass-go-6/datasheet
https://en.wikipedia.org/wiki/RSA_SecurID

Log in or Sign up

Experts uncover a new Banking Trojan targeting Latin American users

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Experts uncover a new Banking Trojan targeting Latin American users

guest Guest

Rasheed187 Registered Member

Useful Searches