Numando, a new banking trojan, has been discovered spreading via public platforms such as YouTube and Pastebin. Read on to know more…
Numando, a new banking trojan, has been discovered spreading through public platforms such as YouTube and Pastebin as it adds more victims’ systems. This trojan, similar to other Latin American banking trojan is coded in Delphi, is believed to have been active since 2018. The trojan is almost entirely focused on Brazil, but there have been isolated attacks in Mexico and Spain, according to experts.
According to a Trend Micro report, ransomware attacks in the banking industry increased by 1,318 percent year over year in the first half of 2021. Banking malware or local Trojans are spreading around the globe, attracting new victims and expanding their reach by exploiting the COVID-19 pandemic as a theme.
As part of a series on Malware in Latin America, ESET Research discovered the banking Trojan Numando. This trojan like other malware families, stores its remote configuration using phoney overlay windows, backdoor functionality, and misuses the public services like YouTube and Pastebin.
Working Mechanism
Numando employs ZIP archives or bundle payloads that contain decoy BMP images as well as large valid images that can be opened and viewed easily. The threat actor’s backdoor capabilities allow it to shut down a computer by simulating the mouse and keyboard actions, displaying overlay windows, taking screenshots, and killing browser processes. The bogus overlay windows lures the victims into revealing critical information and financial credentials.
The banking Trojan is typically distributed through campaigns and phishing emails. A .ZIP file is sent to victims as a ruse. A .CAB archive containing a legitimate software application, an injector, and the Trojan is bundled in the file.
Usually, the spyware is hidden inside a large.BMP file. The injector is side-loaded if the software app is executed, and the malware is decrypted using an XOR algorithm and a key.
Numando distributes the malware using public services such as Pastebin and YouTube.
“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.”
“The second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The downloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector that, in turn, extracts the Numando banking trojan from the BMP overlay and executes it.” continues the report.
Targeting Public Services
It’s not strange for threat actors to take advantage of public services to help them carry out their attacks. The creators of the Numando Banking Trojan are largely using YouTube and PasteBin in this scenario. The cybercriminals store configuration information in cleverly constructed file and video titles or descriptions, which the Numando Banking Trojan can decrypt. For instance, the title of an unlisted YouTube video contained an XOR-encrypted string that obscured the command & control server’s address and port. On PasteBin, a similar approach is used to store network information.
Conclusion
Numando is primarily focused on targeting Brazil, with a few projects in Mexico and Spain. The infection rate is still low, but with new attack strategies, this might change quickly in the following days. As a result, banking customers are advised to adopt all recommended security best practises in order to be secure.
Using an up-to-date security software suite to protect your Windows system from attacks like this is essential. It will be able to detect and remove malicious files before they can cause any problems.