ESET Research spotted a banking Trojan Numando, as part of a series on Malware in Latin America. Numando, like its other malware families, uses fake overlay windows, backdoor functionality, and abuse of public services such as YouTube and Pastebin to store its remote configuration.
This threat actor has been reported to be active since 2018 and consistently introducing varied new techniques to a group of Latin American banking Trojans. It is written in the Delphi language.
Numando uses ZIP archives or bundle payloads with decoy BMP images and large valid images that can easily be opened and viewed. The backdoor capabilities of the threat actor allow it to shut down the machine by simulating the mouse and keyboard actions, display overlay windows, take screenshots and kill browser processes. It entices victims into sharing sensitive information and financial credentials using the fake overlay windows.
How it Works
Campaigns and phishing emails are the typical mode of distribution for the banking Trojan.
- .ZIP file is sent as a decoy to victims
- The file contains a .CAB archive bundled with a legitimate software application, an injector, and the Trojan
- Large .BMP file mask the malware
- If the software app is executed, the injector is side-loaded, and the malware is then decrypted using an XOR algorithm and a key
- Numando abuses public services such as Pastebin and YouTube for distribution
On being informed, Google took down many of these videos used to spread the Trojan. The main target regions have been Brazil and some areas of Mexico and Spain.
Banking customers have been suggested to follow security best practices and be extra vigilant towards the active Trojan.
Banking Trojan Explained
According to Investopedia, a banking Trojan is a piece of malware that attempts to steal credentials from a financial institution’s clients or gain access to their financial information. Many times, a banking Trojan will use a spoofed website of a financial institution to redirect client data to the attacker.
Like other Trojan horses, a banking Trojan often appears innocuous but can cause harm if downloaded and installed onto a device or computer.
Top Banking Trojans
Per Heimdal Security, here is a list of banking malware/Trojans that have been wreaking havoc in the banking sector:
- Zbot/Zeus: Trojan infects Windows users and tries to retrieve confidential information from the infected computers.
- Zeus Gameover: Financial stealing malware relies upon a peer-to-peer botnet infrastructure.
- SpyEye: Data-stealing malware (similar to Zeus) created to siphon off money from online bank accounts.
- Shylock: Banking malware crafted to retrieve user’s banking credentials for fraudulent purposes.
- DanaBot: A banking malware with multiple variants that function as malware-as-a-service, with several active affiliates that keep growing.
- TrickBot: Malware targets the financial information and credentials of the user and spreads through malicious spam emails.
- Panda: A banking Trojan that uses many of Zeus’s malware techniques like man-in-the-browser and keylogging but has advanced stealth capabilities.
- Kronos: One of the most sophisticated Trojans whose code is obfuscated using a multitude of techniques. It focuses on stealing banking login credentials from browser sessions using a combination of web injections and keylogging. Supposedly it has been given a new identity and is sold as Osiris banking trojan.
- Bizzaro: The malware spreads via malicious links contained within spam emails attempting to pilfer consumer financial information and mobile crypto wallets as it goes and spreads.
A Trend Micro Report revealed that the banking industry experienced a 1,318% year-on-year increase in ransomware attacks in the first half of 2021. Banking malware or local Trojans are going global exploiting the COVID-19 worldwide, luring new victims, and expanding their reach.