A new Latin American banking trojan, tracked as Numando was spotted which abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.
The threat actor behind this banking Trojan was active since at least 2018 and it focuses almost exclusively on Brazil. Rare attacks against users in Mexico and Spain were also spotted by researchers.
The Trojan which was spotted by ESET researchers is written in Delphi and utilizes fake overlay windows to trick victims into providing sensitive information.
According to the analysis published by ESET, some Numando variants store the images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. Unlike other Latin American banking trojans, the commands are defined as numbers rather than strings.
Numando is distributed almost by malspam campaigns, recent attacks employed messages using a ZIP attachment containing an MSI installer. The installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. Upon executing the MSI, it will eventually run the legitimate application as well the injector that loads the payload and decrypts it.
Once Numando is installed on a target machine, it will create fake overlay windows every time the victim visits the website of a financial organization and captures the credentials they provide.
Numando leverages public services such as Pastebin and YouTube for the remote configuration, a technique used by other malware like Casbaneiro.
ESET reported the existence of the report to Google which quickly removed them.
Image Credits : Clear Infosec