LatAm Banking Trojans Collaborate in Never-Before-Seen Effort

LatAm Banking Trojans Collaborate in Never-Before-Seen Effort

Virus Bulletin 2020 — A loose affiliation of cybercriminals are working together to author and distribute multiple families of banking trojans in Latin America – a collaborative effort that researchers say is highly unusual.

Virus Bulletin 2020 — A loose affiliation of cybercriminals are working together to author and distribute multiple families of banking trojans in Latin America – a collaborative effort that researchers say is highly unusual.

Multiple, distinct malware families have plagued Latin American banking customers for years – the variants include Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist and Zumanek, according to ESET.

In examining these families over time, ESET researchers began to notice “some similarities between multiple families in our series, such as using the same uncommon algorithm to encrypt strings or suspiciously similar DGAs [domain-generation algorithms] to obtain C2 server addresses,” according to a Thursday analysis.

The trojans also share “practically identical implementation[s] of the banking trojans’ cores,” including sending notifications to operators, periodically scanning active windows based on name or title and using carefully designed pop-up windows designed to mimic banking apps and harvest information.

The families also share uncommon third-party libraries, string encryption algorithms, and string and binary obfuscation techniques, researchers said.

What also caught the researchers’ eye is the fact that the banking trojans all use a very similar distribution flow. With typical malware, “a lot of time, we can predict which banking trojan is going to download based on the distribution flow,” said ESET researcher Jakub Souček, speaking on the research at the Virus Bulletin 2020 conference this week along with his colleague, Martin Jirkal. This isn’t the case with the Latin American trojans, he added.

“They usually check for a marker (an object, such as a file or registry key value used to indicate that the machine has already been compromised), and download data in ZIP archives,” according to the researcher. “Besides that, we have observed identical distribution chains ending up distributing multiple Latin American banking trojans. It is also worth mentioning that since 2019, the vast majority of these malware families started to utilize Windows Installer (MSI files) as the first stage of the distribution chain.”

Most Latin American banking trojans also share execution methods, including DLL side-loading of the same set of vulnerable software applications, and abusing a legitimate AutoIt interpreter. And, the collaboration also appears to extend to geo-targeting.

“Since late 2019, we see several [banking trojans] adding Spain and Portugal to the list of countries they target,” researchers said. “Moreover, different families use similar spam email templates in their latest campaigns, almost as if this were a coordinated move as well.”

It’s highly unlikely that separate malware gangs developed so many families with such a depth of similarities – which extend to “coding mistakes and things that don’t work,” Souček said. However, he stressed that it’s also unlikely that it’s one single group authoring all of the trojans.

malware mobile security web security amavaldo banking trojans casbaneiro collaboration coordination eset grandoreiro guildma krachulka latin america lokorrito mekotio mispadu never before seen numando similarities vadokrist virus bulletin 2020 zumanek

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

Mobile Browser Bugs Open Safari, Opera Users to Malware

A set of address-spoofing bugs affect users of six different types of mobile browsers, with some remaining unpatched.

Citrix Bugs Allow Unauthenticated Code Injection, Data Theft

Admins should patch their Citrix ADC and Gateway installs immediately.

Silent Night Banking Trojan Charges Top Dollar on the Underground

A descendant of the infamous Zeus banking trojan, dubbed Silent Night by the malware’s author, has emerged on the scene, with a host of functionalities available in a spendy malware-as-a-service (MaaS) model.

Cerberus Banking Trojan Unleashed on Google Play

The Cerberus malware can steal banking credentials, bypass security measures and access text messages.