Numando, a new Latin American banking trojan that exploits YouTube, Pastebin, and other public sites as C2 infrastructure and to spread, has been discovered. The threat actor responsible for this banking Trojan has been active since at least 2018 and is nearly entirely focused on Brazil. Researchers have also discovered rare cyberattacks on users in Mexico and Spain. The Trojan discovered by ESET researchers is written in Delphi and uses bogus overlay windows to deceive users into revealing sensitive data.
Some Numando variations, according to ESET’s investigation, store the images in an encrypted ZIP file inside their.rsrc sections, while others use a distinct Delphi DLL especially for this purpose. Numando can replicate mouse and keyboard operations, restart and shutdown the system, display overlay windows, take screenshots, and destroy browser activities using backdoor functionality. The directives are defined as integers rather than texts, unlike other Latin American banking malwares.
Numando is almost exclusively delivered through spam campaigns; recent attacks used communications that included a ZIP file with an MSI installer. The installation includes a CAB archive containing a legit application, an injector, and a Numando banking trojan DLL that is encrypted.
When the MSI is executed, it will launch the regular application as well as the injector, which loads and decrypts the payload. The malware is hidden in a large .BMP image file
When Numando is installed on a target machine, it will generate bogus overlay windows and users’ credentials are collected and transferred to the malware’s command-and-control (C2) server when they enter the data. Numando uses public platforms such as Pastebin and YouTube for remote configuration, a tactic exploited by other malware such as Casbaneiro. ESET alerted Google to the report’s existence, and they were soon removed.
You might also like: