ESET Research dissects Numando: A banking trojan targeting Brazil, Mexico and Spain, and misusing YouTube
Created: 2021-09-17 03:16:15
BRATISLAVA, PRAGUE — ESET Research continues its series on Latin American banking trojans, this time dissecting Numando, which targets mainly Brazil and rarely Mexico and Spain. Numando is similar to the other malware families described in this series in its use of fake overlay windows, backdoor functionality, and abuse of public services such as YouTube to store its remote configuration. However, unlike most of the other Latin American banking trojans, Numando does not show signs of continuous development.
The threat actor behind this malware family has been active since at least 2018. “Even though Numando is not nearly as lively as other trojans such as Mekotio or Grandoreiro, it has been consistently used since we started tracking it, bringing interesting new techniques to the pool of Latin American banking trojans’ tricks,” says Jakub Souček, coordinator of the ESET team that analyzed Numando.
Numando’s backdoor capabilities allow it to simulate mouse and keyboard actions, restart and shut down the machine, display overlay windows, take screenshots, and kill browser processes. It utilizes fake overlay windows to lure sensitive information out of its victims.
Among the new techniques, Numando uses seemingly useless ZIP archives or bundles payloads with decoy BMP images that are suspiciously large. These BMP files are valid images that can be opened in a majority of image viewers and editors without issue. Numando is distributed almost exclusively by spam.
Like many other Latin American banking trojans, Numando abuses public services to store its remote configuration — YouTube and Pastebin in this case. Google took the YouTube videos down promptly based on ESET’s notification.
For more technical details about Numando, read the blogpost “Numando: Count once, code twice” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.