The new type of banking trojan known as Numando is able to access all the identity information of its targeted victims. The virus uses public platforms to spread.
ESET researchers have detected a new banking trojan virus known as Numando that abuses YouTube, Pastebin and other public platforms as C2 infrastructure to spread.
The threat behind this virus has been active since at least 2018 and focuses almost exclusively on Brazil; However, experts point out that there are rare attacks against users in Mexico and Spain. Like other Latin American banking trojans, this new type is written in Delphi and is based on the principle of deceiving victims through fake windows to capture sensitive information.
Virus targets victims' credentials
In the analysis published by ESET, "Some Numando derivatives store these images in an encrypted ZIP archive in .rsrc sections, while others use a separate Delphi DLL for this storage only. Back output capabilities allow Numando to simulate mouse and keyboard actions, restart the machine and terminate browser processing. “ and “But unlike other Latin American banking trojans, commands are defined as numbers rather than strings, which is also what inspired us to name this malware family. “He gave his statements.
Experts realized that, unlike other Latin American banking trojans they analyzed, Numando is not in the development stage.
Distributed almost exclusively by malicious spam campaigns, Numando used messages using a ZIP attachment containing MSI installer in its latest attacks. Loader; it contains a CAB archive containing a legitimate application, an injector, and an encrypted Numando banking trojan DLL. By running MSI, the injector that decrypts the code by loading the legal application and payload is also activated. Once Numando is installed on the target device, it causes fake windows that capture credentials every time the victim visits a financial institution's site.
Utilizing public services
In addition, experts uncovered another distribution chain used in recent attacks, which started with a Deplhi downloader downloading a decoy ZIP archive. The downloader ignores the contents of the ZIP archive and extracts an encoded 16 string from the ZIP file comment at the end of the file, and decoding this string results in a different URL to the actual payload archive.
“The second ZIP archive contains a legitimate application, an injector, and a suspiciously large BMP image,” the report said. When the downloader extracts the contents of this archive and runs the legitimate application that installs the injector, the Numando banking trojan also comes out in the BMP overlay and starts working. “This BMP file is a valid image, and because the overlay is simply ignored, it can be opened by most viewers and editors without any problems,” the statements also pass.
Numando uses public services such as Pastebin and YouTube for remote configuration, a technique used by other malware such as Casbaneiro.
Numando can also simulate mouse clicks and keyboard actions and hijack PC shutdown and restart functions, take screenshots and terminate browser processes.
Turkey (Türkçe)
Worldwide (English)
