Press Center

Malware and antivirus software

News

ESET Research: Latin American banking trojans spread to Europe at the height of activity

Created: 2021-12-15 03:27:15

  • Latin American banking trojans are an ongoing, evolving threat and ESET has recently seen some of their biggest campaigns to date.
  • They target mainly Brazil, Spain, and Mexico.
  • Mekotio and Grandoreiro expanded to Europe, mainly targeting Spain but also Italy, France and Belgium.
  • There are at least eight different malware families still active.
  • In June this year, Spanish law enforcement arrested 16 people related to Mekotio and Grandoreiro.
  • The vast majority (90%) are distributed via spam.

BRATISLAVA, PRAGUE — December 15, 2021 — ESET Research is concluding today its blogpost series dedicated to demystifying Latin American banking trojans started in August 2019. Since then, it has covered the most active ones, namely Amavaldo, Casbaneiro,Mispadu, Guildma, Grandoreiro, Mekotio, Vadokrist, Ousaban and Numando. Latin American banking trojans share a lot of common characteristics and behavior. Altogether, ESET has identified a dozen different malware families, most of which remain active to this day. The most significant discovery during the course of this investigation is the expansion of Mekotio and Grandoreiro to Europe, mainly Spain. ESET researchers have also observed occasional small campaigns targeting Italy, France and Belgium. Since Latin American banking trojans expanded to Europe, they have been getting more attention from both researchers and police forces. In the last few months, ESET has seen some of their biggest campaigns to date.

ESET telemetry shows a surprisingly large increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent months, leading to the conclusion that the threat actors behind these malware families are determined to continue their nefarious actions against users in targeted countries.

The campaigns we see always come in waves and more than 90% of them are distributed through spam, usually leading to a ZIP archive or an MSI installer. One campaign usually lasts for a week at most.

“Brazil is still the most targeted country, followed by Spain and Mexico. Since 2020, Grandoreiro and Mekotio expanded to Europe – mainly Spain. What started as several minor campaigns, likely to test the new territory, evolved into something much bigger. In fact, in August and September 2021, Grandoreiro launched its largest campaign so far and it targeted Spain,” says ESET researcher Jakub Souček, who leads the investigation into Latin American banking trojans.

In June this year, Spanish law enforcement arrested 16 people related to Mekotio and Grandoreiro. In the report, police state that almost €300,000 were stolen and they were able to block the transfer of a total of €3.5 million. Correlating this arrest with Latin American banking trojan activity in Spain, Mekotio seems to have taken a much larger hit than Grandoreiro, leading ESET to believe that the arrested people were more connected to Mekotio. Even though Mekotio went very quiet for almost two months after the arrest, ESET continues to see new campaigns distributing Mekotio.

Latin American banking trojans used to change rapidly. In the early days of ESET’s tracking, some of them were adding to or modifying their core features even several times a month. Nowadays they still change very often, but the core seems to remain mostly untouched. Due to the partially stabilized development, we believe the operators are now focusing on improving distribution.

“Latin American banking trojans require a lot of conditions to attack successfully,” explains Souček. “Potential victims need to follow steps required to install the malware on their machines; they need to visit a targeted website and log into their accounts. On the other side, operators need to react to this situation by manually commanding the malware to display the fake pop-up window and take control of the victim’s machine.”

During the course of this research series, several Latin American banking trojans became inactive, namely, Krachulka, Lokorrito and Zumanek. ESET researchers also discovered Janeleiro, a new Latin American banking trojan. In the future, ESET expects we may see some of these banking trojans expanding to the Android platform.

For more technical details about these Latin American banking trojans, read the blogpost “The dirty dozen of Latin America: From Amavaldo to Zumanek” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.