Numando Banking Trojan Targets Latin America, Leverages Popular Services

Latin American threat actors have a long list of banking Trojans behind their backs. Major malware families like the Bizarro Banking Trojan have been bothering users in Latin America for the past few years. However, a new Trojan family appears to be on the rise. The threat, dubbed the Numando Banking Trojan, is abusing legitimate public services to infect users and control their systems. Some of the services that the criminals are using are YouTube and PasteBin – however, other public services are also a part of their campaign.

The Numando Banking Trojan appears to have been in development for a while. The first copies of the malware date back to 2018, but it has undergone significant changes since then. It is possible that it might have been active in the past, but the attack campaigns were relatively small. The current campaign, however, is much more serious in terms of size. This Delphi-written malware has already infected thousands of users in several Latin American countries. Of course, the ultimate goal of the criminals is to leech financial information and credentials from their victims.

Features-wise, the Numando Banking Trojan is not that different from the other Trojans active in the region. Its operators have the ability to simulate mouse movements and key presses. They can also restart or shut down the infected system remotely and, of course, they can show fake overlays. Other notable features include the ability to terminate processes and grab snapshots of the victim's screen.

How Does the Numando Banking Trojan Reach Victims?

Spam is the #1 method to deliver this particular malware family. The criminals usually rely on email spam campaigns, which urge the recipient to download a file attachment. The latter is usually a ‘.ZIP' file, which contains an MSI installer inside. The fake installer contains multiple archives that, unpacked, load the malicious modules used to execute the Numando Banking Trojan. To make the process seem more legitimate, the fake installer will use fake splash screens branded with popular logos such as the one that JAVA uses. This might leave users under the impression that the installer has frozen.

Where do Public Services Come into Play?

It is not uncommon for threat actors to abuse public services in order to aid their attacks. In this case, the Numando Banking Trojan authors are relying on YouTube and PasteBin primarily. The crooks use specially crafted file and video titles or descriptions to store configuration information that Numando Banking Trojan can decipher. For example, an unlisted YouTube video's title contained a XOR-encrypted string, which hides the command & control server's address and port. A similar technique is used to store network information on PasteBin.

Protecting your Windows system from attacks like this one requires the use of an up-to-date security software suite. It will be able to identify and halt the malicious files before they get a chance to cause any trouble.