Numando Banking Trojan Abuses YouTube, Pastebin and other Public PlatformsCISOMAGon September 22, 2021 at 1:30 pm Feedzy

FeedzyRead MoreESET Research spotted a banking Trojan Numando, as part of a series on Malware in Latin America. Numando, like its other malware families, uses fake overlay windows, backdoor functionality, and abuse of public services such as YouTube and Pastebin to store its remote configuration. This threat actor has been reported to be active since 2018 […]
The post Numando Banking Trojan Abuses YouTube, Pastebin and other Public Platforms appeared first on CISO MAG | Cyber Security Magazine.

ESET Research spotted a banking Trojan Numando, as part of a series on Malware in Latin America. Numando, like its other malware families, uses fake overlay windows, backdoor functionality, and abuse of public services such as YouTube and Pastebin to store its remote configuration.

This threat actor has been reported to be active since 2018 and consistently introducing varied new techniques to a group of Latin American banking Trojans. It is written in the Delphi language.

Numando uses ZIP archives or bundle payloads with decoy BMP images and large valid images that can easily be opened and viewed. The backdoor capabilities of the threat actor allow it to shut down the machine by simulating the mouse and keyboard actions, display overlay windows, take screenshots and kill browser processes. It entices victims into sharing sensitive information and financial credentials using the fake overlay windows.

How it Works

Campaigns and phishing emails are the typical mode of distribution for the banking Trojan.

.ZIP file is sent as a decoy to victims
The file contains a .CAB archive bundled with a legitimate software application, an injector, and the Trojan
Large .BMP file mask the malware
If the software app is executed, the injector is side-loaded, and the malware is then decrypted using an XOR algorithm and a key
Numando abuses public services such as Pastebin and YouTube for distribution

On being informed, Google took down many of these videos used to spread the Trojan. The main target regions have been Brazil and some areas of Mexico and Spain.

Banking customers have been suggested to follow security best practices and be extra vigilant towards the active Trojan.

Banking Trojan Explained

According to Investopedia, a banking Trojan is a piece of malware that attempts to steal credentials from a financial institution’s clients or gain access to their financial information. Many times, a banking Trojan will use a spoofed website of a financial institution to redirect client data to the attacker.

Like other Trojan horses, a banking Trojan often appears innocuous but can cause harm if downloaded and installed onto a device or computer.

See also: What You Need to Know Now About Banking Trojans

Top Banking Trojans

Per Heimdal Security, here is a list of banking malware/Trojans that have been wreaking havoc in the banking sector:

Zbot/Zeus: Trojan infects Windows users and tries to retrieve confidential information from the infected computers.

Zeus Gameover: Financial stealing malware relies upon a peer-to-peer botnet infrastructure.

SpyEye: Data-stealing malware (similar to Zeus) created to siphon off money from online bank accounts.

Shylock: Banking malware crafted to retrieve user’s banking credentials for fraudulent purposes.

DanaBot: A banking malware with multiple variants that function as malware-as-a-service, with several active affiliates that keep growing.

TrickBot: Malware targets the financial information and credentials of the user and spreads through malicious spam emails.

Panda: A banking Trojan that uses many of Zeus’s malware techniques like man-in-the-browser and keylogging but has advanced stealth capabilities.

Kronos: One of the most sophisticated Trojans whose code is obfuscated using a multitude of techniques. It focuses on stealing banking login credentials from browser sessions using a combination of web injections and keylogging. Supposedly it has been given a new identity and is sold as Osiris banking trojan.

Bizzaro: The malware spreads via malicious links contained within spam emails attempting to pilfer consumer financial information and mobile crypto wallets as it goes and spreads.

A Trend Micro Report revealed that the banking industry experienced a 1,318% year-on-year increase in ransomware attacks in the first half of 2021. Banking malware or local Trojans are going global exploiting the COVID-19 worldwide, luring new victims, and expanding their reach.

The post Numando Banking Trojan Abuses YouTube, Pastebin and other Public Platforms appeared first on CISO MAG | Cyber Security Magazine.

Read Aloud

ESET Research spotted a banking Trojan Numando, as part of a series on Malware in Latin America. Numando, like its other malware families, uses fake overlay windows, backdoor functionality, and abuse of public services such as YouTube and Pastebin to store its remote configuration.

This threat actor has been reported to be active since 2018 and consistently introducing varied new techniques to a group of Latin American banking Trojans. It is written in the Delphi language.

Numando uses ZIP archives or bundle payloads with decoy BMP images and large valid images that can easily be opened and viewed. The backdoor capabilities of the threat actor allow it to shut down the machine by simulating the mouse and keyboard actions, display overlay windows, take screenshots and kill browser processes. It entices victims into sharing sensitive information and financial credentials using the fake overlay windows.

How it Works

Campaigns and phishing emails are the typical mode of distribution for the banking Trojan.

.ZIP file is sent as a decoy to victims
The file contains a .CAB archive bundled with a legitimate software application, an injector, and the Trojan
Large .BMP file mask the malware
If the software app is executed, the injector is side-loaded, and the malware is then decrypted using an XOR algorithm and a key
Numando abuses public services such as Pastebin and YouTube for distribution

On being informed, Google took down many of these videos used to spread the Trojan. The main target regions have been Brazil and some areas of Mexico and Spain.

Banking customers have been suggested to follow security best practices and be extra vigilant towards the active Trojan.

Banking Trojan Explained

According to Investopedia, a banking Trojan is a piece of malware that attempts to steal credentials from a financial institution’s clients or gain access to their financial information. Many times, a banking Trojan will use a spoofed website of a financial institution to redirect client data to the attacker.

Like other Trojan horses, a banking Trojan often appears innocuous but can cause harm if downloaded and installed onto a device or computer.

See also: What You Need to Know Now About Banking Trojans

Top Banking Trojans

Per Heimdal Security, here is a list of banking malware/Trojans that have been wreaking havoc in the banking sector:

Zbot/Zeus: Trojan infects Windows users and tries to retrieve confidential information from the infected computers.
Zeus Gameover: Financial stealing malware relies upon a peer-to-peer botnet infrastructure.
SpyEye: Data-stealing malware (similar to Zeus) created to siphon off money from online bank accounts.
Shylock: Banking malware crafted to retrieve user’s banking credentials for fraudulent purposes.
DanaBot: A banking malware with multiple variants that function as malware-as-a-service, with several active affiliates that keep growing.
TrickBot: Malware targets the financial information and credentials of the user and spreads through malicious spam emails.
Panda: A banking Trojan that uses many of Zeus’s malware techniques like man-in-the-browser and keylogging but has advanced stealth capabilities.
Kronos: One of the most sophisticated Trojans whose code is obfuscated using a multitude of techniques. It focuses on stealing banking login credentials from browser sessions using a combination of web injections and keylogging. Supposedly it has been given a new identity and is sold as Osiris banking trojan.
Bizzaro: The malware spreads via malicious links contained within spam emails attempting to pilfer consumer financial information and mobile crypto wallets as it goes and spreads.

A Trend Micro Report revealed that the banking industry experienced a 1,318% year-on-year increase in ransomware attacks in the first half of 2021. Banking malware or local Trojans are going global exploiting the COVID-19 worldwide, luring new victims, and expanding their reach.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips