Malware

Numando, a new banking Trojan that abuses YouTube for remote configuration

Numando, a new banking Trojan that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.

ESET researchers spotted a new LATAM banking trojan, tracked as Numando, that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.

The threat actor behind this banking Trojan has been active since at least 2018, it focuses almost exclusively on Brazil but experts spotted rare attacks against users in Mexico and Spain.

Like other Latin American banking trojans, it is written in Delphi and utilizes fake overlay windows to trick victims into providing sensitive information.

“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.”

The Trojan implements Backdoor capabilities to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. 

Experts noticed that unlike other Latin American banking trojans they analyzed, Numando isn’t under development.

Numando is distributed almost exclusively by malspam campaigns, recent attacks employed messages using a ZIP attachment containing an MSI installer. The installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. Upon executing the MSI, it will eventually run the legitimate application as well the injector that loads the payload and decrypts it.

Once Numando is installed on a target machine, it will create fake overlay windows every time the victim visits the website of a financial organization and captures the credentials they provide. 

Experts also uncovered another distribution chain employed in recent attacks that starts with a Delphi downloader downloading a decoy ZIP archive. The downloader ignores the content of the ZIP archive and extracts a hex-encoded encrypted string from the ZIP file comment at the end of the file. Decrypting the string results in a different URL that leads to the actual payload archive.

“The second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The downloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector that, in turn, extracts the Numando banking trojan from the BMP overlay and executes it.” continues the report.

“This BMP file is a valid image and can be opened in a majority of image viewers and editors without issue, as the overlaly is simply ignored.”

Numando leverages public services such as Pastebin and YouTube for the remote configuration, a technique used by other malware like Casbaneiro.  

ESET reported the existence of the report to Google that quickly removed them. 

Numando is also able to simulate mouse clicks and keyboard actions, hijack PC shutdown and restart functions, take screenshots, and kill browser processes. 

The report published by ESET includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, banking trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. Fortra has released…

11 hours ago

Fujitsu suffered a malware attack and probably a data breach

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the…

13 hours ago

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

A critical vulnerability in WordPress miniOrange's Malware Scanner and Web Application Firewall plugins can allow…

19 hours ago

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.…

22 hours ago

Email accounts of the International Monetary Fund compromised

Threat actors compromised at least 11 International Monetary Fund (IMF) email accounts earlier this year,…

24 hours ago

Threat actors leaked 70,000,000+ records allegedly stolen from AT&T

Researchers at vx-underground first noticed that more than 70,000,000 records from AT&T were leaked on…

2 days ago

This website uses cookies.