Numando, a new banking Trojan that abuses YouTube for remote configuration

Numando, a new banking Trojan that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.

ESET researchers spotted a new LATAM banking trojan, tracked as Numando, that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.

The threat actor behind this banking Trojan has been active since at least 2018, it focuses almost exclusively on Brazil but experts spotted rare attacks against users in Mexico and Spain.

Like other Latin American banking trojans, it is written in Delphi and utilizes fake overlay windows to trick victims into providing sensitive information.

“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.”

The Trojan implements Backdoor capabilities to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. 

Experts noticed that unlike other Latin American banking trojans they analyzed, Numando isn’t under development.

Numando is distributed almost exclusively by malspam campaigns, recent attacks employed messages using a ZIP attachment containing an MSI installer. The installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. Upon executing the MSI, it will eventually run the legitimate application as well the injector that loads the payload and decrypts it.

Once Numando is installed on a target machine, it will create fake overlay windows every time the victim visits the website of a financial organization and captures the credentials they provide. 

Experts also uncovered another distribution chain employed in recent attacks that starts with a Delphi downloader downloading a decoy ZIP archive. The downloader ignores the content of the ZIP archive and extracts a hex-encoded encrypted string from the ZIP file comment at the end of the file. Decrypting the string results in a different URL that leads to the actual payload archive.

“The second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The downloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector that, in turn, extracts the Numando banking trojan from the BMP overlay and executes it.” continues the report.

“This BMP file is a valid image and can be opened in a majority of image viewers and editors without issue, as the overlaly is simply ignored.”

Numando leverages public services such as Pastebin and YouTube for the remote configuration, a technique used by other malware like Casbaneiro.  

ESET reported the existence of the report to Google that quickly removed them. 

Numando is also able to simulate mouse clicks and keyboard actions, hijack PC shutdown and restart functions, take screenshots, and kill browser processes. 

The report published by ESET includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, banking trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]