ESET researchers, to spread YouTube, Pastebin and other public platforms abusing as C2 infrastructure, , known as banking trojan virus detected.
The threat behind this virus has been active since at least 2018 and focuses almost exclusively on Brazil; However, experts point out that there are rare attacks against users in Mexico and Spain. As with other Latin American banking trojans, this new strain Delphi and is based on the principle of deceiving victims through fake windows to obtain sensitive information.
Virus targets victims’ credentials
In the analysis published by ESET, “ Some Numando variants have these images . rsrc partitions are stored in an encrypted ZIP archive, while others use a separate Delphi DLL specific to this storage only. Back output capabilities allow Numando to simulate mouse and keyboard actions, reboot the machine, and terminate browser processing.“ and “But unlike other Latin American banking trojans, commandolarsars are defined as numbers rather than strings, which is also what inspired us to name this malware family. “.
Unlike other Latin American banking trojans that experts have analyzed, Numando is still in development. whether noticed.
almost only malicious spam campaigns
Distributed by , Numando in its latest hacks MSI with an installer ZIP used messages using the attachment. Loader; It contains a CAB archive containing a legitimate application, an injector, and an encrypted Numando banking trojan DLL. By running MSI, the injector that decrypts the code by loading the legal application and payload is also activated. Once installed on the target device, Numando captures credentials every time the victim visits a financial institution’s site. fake windows causes it to occur.
Public service benefits from the series of dollars
In addition, experts speculate that another tool used in recent attacks started when a Deplhi downloader downloaded a decoy ZIP archive. distribution chain also revealed. The downloader ignores the contents of the ZIP archive and extracts an encoded 16-digit string from the ZIP file comment at the end of the file, and decrypting this string also means the actual a different URL to the payload archive.
In the report, “ The second ZIP archive contains a legitimate application, an injector, and a suspiciously large BMP image. When the downloader extracts the contents of this archive and runs the legitimate application that installs the injector, the Numando banking trojan also comes out in the BMP overlay and starts working.“ and “ This BMP file is a valid image and can be opened by most viewers and editors without any problems as the overlay is simply ignored, “ expressions are also mentioned.
Numando, Casbaneiro for remote configuration, a technique used by other malware like Pastebin and public service providers like YouTube.
Numando also controls mouse clicks and keyboard actions. simulate and Can hijack PC shutdown and restart functions, take screenshots, and terminate browser processes.