331
118 shares, 331 points

ESET researchers, to spread YouTube, Pastebin and other public platforms abusing as C2 infrastructure, , known as banking trojan virus detected.

The threat behind this virus has been active since at least 2018 and focuses almost exclusively on Brazil; However, experts point out that there are rare attacks against users in Mexico and Spain. As with other Latin American banking trojans, this new strain Delphi and is based on the principle of deceiving victims through fake windows to obtain sensitive information.

Virus targets victims’ credentials

In the analysis published by ESET, “ Some Numando variants have these images . rsrc partitions are stored in an encrypted ZIP archive, while others use a separate Delphi DLL specific to this storage only. Back output capabilities allow Numando to simulate mouse and keyboard actions, reboot the machine, and terminate browser processing.“ and “But unlike other Latin American banking trojans, commandolarsars are defined as numbers rather than strings, which is also what inspired us to name this malware family. “.

Unlike other Latin American banking trojans that experts have analyzed, Numando is still in development. whether noticed.

almost only malicious spam campaigns

Distributed by , Numando in its latest hacks MSI with an installer ZIP used messages using the attachment. Loader; It contains a CAB archive containing a legitimate application, an injector, and an encrypted Numando banking trojan DLL. By running MSI, the injector that decrypts the code by loading the legal application and payload is also activated. Once installed on the target device, Numando captures credentials every time the victim visits a financial institution’s site. fake windows causes it to occur.

Public service benefits from the series of dollars

In addition, experts speculate that another tool used in recent attacks started when a Deplhi downloader downloaded a decoy ZIP archive. distribution chain also revealed. The downloader ignores the contents of the ZIP archive and extracts an encoded 16-digit string from the ZIP file comment at the end of the file, and decrypting this string also means the actual a different URL to the payload archive.

In the report, “ The second ZIP archive contains a legitimate application, an injector, and a suspiciously large BMP image. When the downloader extracts the contents of this archive and runs the legitimate application that installs the injector, the Numando banking trojan also comes out in the BMP overlay and starts working.“ and “ This BMP file is a valid image and can be opened by most viewers and editors without any problems as the overlay is simply ignored, “ expressions are also mentioned.

Numando, Casbaneiro for remote configuration, a technique used by other malware like Pastebin and public service providers like YouTube.

Numando also controls mouse clicks and keyboard actions. simulate and Can hijack PC shutdown and restart functions, take screenshots, and terminate browser processes.


Like it? Share with your friends!

331
118 shares, 331 points

What's Your Reaction?

hate hate
245
hate
confused confused
981
confused
fail fail
613
fail
fun fun
490
fun
geeky geeky
368
geeky
love love
1226
love
lol lol
122
lol
omg omg
981
omg
win win
613
win
Michael Lewis

Emperor

0 Comments

Your email address will not be published. Required fields are marked *

Choose A Format
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Poll
Voting to make decisions or determine opinions
Story
Formatted Text with Embeds and Visuals
List
The Classic Internet Listicles
Countdown
The Classic Internet Countdowns
Open List
Submit your own item and vote up for the best submission
Ranked List
Upvote or downvote to decide the best list item
Meme
Upload your own images to make custom memes
Video
Youtube, Vimeo or Vine Embeds
Audio
Soundcloud or Mixcloud Embeds
Image
Photo or GIF
Gif
GIF format