ESET researchers have continued their investigation on the Latin American banking trojans with Numando, primarily targeting Brazil and seldom Mexico and Spain in particular. This time it disassembles. Numando is comparable in its use of phony overlay windows, backdoor capability, and the manipulation of utilities such as YouTube to maintain remote configuration to the other malware families. However, Numando doesn’t show symptoms of continual evolution, as did several of the Latin American banking trojans.
Numando is operational since 2018, focusing entirely on Brazil but rare attacks are focused on consumers in Mexico and Spain were reported by specialists. This financial malware, which was written in Delphi, shows bogus overlaying windows to mislead victims into entering sensitive data, including bank services information.
It spreads exclusively via spam and phishing campaigns. Such efforts aren’t precisely sophisticated, and just a few hundred victims were found at the time of writing. As a consequence, it seems Numando is “considerably less successful” than others, such Mekotio and Grandoreiro, across Latin America.
The absence of complexity of the operator has probably helped to achieve a low rate of infection. Recent campaigns comprise spam addressed to Numando, which includes an email with a phishing message and a.ZIP attachment.
“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shut down the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.”
A decoy. ZIP file and a genuine file are downloaded containing a. CAB archive — with a valid software application included — an injector, and the Trojan. The malware is hidden within a large. BMP picture file. The injecter is laterally loaded and the malware is decrypted using an XOR method and a key for the software program is implemented.
Numando will build counterfeit overlays whenever a victim visits financial services once downloaded on a targeted system. If users give their credentials, they are taken and forwarded to the C2 server of the malware. In addition to managing remote configuration settings, Numando exploits public services, particularly Pastebin and YouTUbe. Numando may also replicate mouse clicks and key shell operations; hijack the shutdown of a PC and restart operations.