Security researchers from ESET discovered the biggest collaboration of various banking malware creators across Latin America. The researchers found eleven different banking Trojan families that have been sharing their malware capabilities, distribution channels, and incorporating new tactics, techniques, and procedures (TTPs).
The discovered Trojan families include Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist, and Zumanek. The researchers stated that all these malware families are using the same encryption algorithms, obfuscation techniques, same uncommon third-party libraries, and similar domain generation algorithms to connect to C2 servers.
“The operators of these banking Trojans appear to be in contact with one another. We first spotted this when examining algorithms used for string encryption. Most Latin American banking Trojans use very simple, custom encryption schemes that are generally unknown in the broader programming community, and yet we see the same algorithm being used in six different families. These common features do not end with the binaries’ contents. By examining the distribution chains, we find usage of the same obfuscation methods or packers applied to different scripts,” ESET researchers said.
How a Latin American Banking Trojan Works
- A typical Latin American banking Trojan collects information on the victim’s device, including system name, username, unique identifiers, and in some cases verifies whether security software is installed or not.
- The compromised data is sent to a URL distinct from the C&C server.
- The Trojan attacks by displaying a fake pop-up window crafted specifically to lure the users into clicking on the window.
- The malware then tries to make it as hard for the victim to get rid of the window by blocking input anywhere else, keeping the window always on top, disabling hotkeys, disabling Task Manager, and blocking mouse manipulation.
“Given so many common features, one might be inclined to think that the authors of these banking Trojans share the fake pop-up windows too, since they are designed to attack customers of the same banks. In fact, the opposite seems to be the case. This is likely the one thing they do by themselves. We have analyzed around 600 of the most recent of these fake windows and it seems they are unique to each family,” the researchers added.