Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Numando, a new banking Trojan that abuses YouTube for remote configuration

Numando, a new banking Trojan that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread. ESET researchers spotted a new LATAM banking trojan, tracked as Numando, that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread. The threat actor behind this banking Trojan has been active since […]

numando

Numando, a new banking Trojan that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.

ESET researchers spotted a new LATAM banking trojan, tracked as Numando, that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread.

The threat actor behind this banking Trojan has been active since at least 2018, it focuses almost exclusively on Brazil but experts spotted rare attacks against users in Mexico and Spain.

Like other Latin American banking trojans, it is written in Delphi and utilizes fake overlay windows to trick victims into providing sensitive information.

“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.”

The Trojan implements Backdoor capabilities to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. 

Experts noticed that unlike other Latin American banking trojans they analyzed, Numando isn’t under development.

Numando is distributed almost exclusively by malspam campaigns, recent attacks employed messages using a ZIP attachment containing an MSI installer. The installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. Upon executing the MSI, it will eventually run the legitimate application as well the injector that loads the payload and decrypts it.

numando

Once Numando is installed on a target machine, it will create fake overlay windows every time the victim visits the website of a financial organization and captures the credentials they provide. 

Experts also uncovered another distribution chain employed in recent attacks that starts with a Delphi downloader downloading a decoy ZIP archive. The downloader ignores the content of the ZIP archive and extracts a hex-encoded encrypted string from the ZIP file comment at the end of the file. Decrypting the string results in a different URL that leads to the actual payload archive.

“The second ZIP archive contains a legitimate application, an injector and a suspiciously large BMP image. The downloader extracts the contents of this archive and executes the legitimate application, which side-loads the injector that, in turn, extracts the Numando banking trojan from the BMP overlay and executes it.” continues the report.

“This BMP file is a valid image and can be opened in a majority of image viewers and editors without issue, as the overlaly is simply ignored.”

Numando leverages public services such as Pastebin and YouTube for the remote configuration, a technique used by other malware like Casbaneiro.  

ESET reported the existence of the report to Google that quickly removed them. 

Numando is also able to simulate mouse clicks and keyboard actions, hijack PC shutdown and restart functions, take screenshots, and kill browser processes. 

The report published by ESET includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, banking trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]