YouTube Abused By Banking Trojan To Control Remote Settings

YouTube Abused By Banking Trojan To Control Remote Settings

ESET released a report on banking Trojans in Latin America on Friday, which included Janeleiro, a new malware sample. Researchers note that this Janeleiro malware sample is similar to Casbaneiro, Grandoreiro, and Mekotio Trojans but this one is not limited to that region. Campaigns have been discovered in Spain, Mexico, and Brazil as well.

In a recent blog post, the cybersecurity experts also described the Trojan dubbed Numando, which has been active for several years. It shows fake overlay windows to trick victims into providing sensitive information, such as login passwords for banking institutions.

Like many banking Trojan variants, Numando is mainly distributed through spam and phishing campaigns. Although it is less successful than other banking Trojan variants, it is still an active threat in those regions. The lack of operators’ sophistication likely contributed to the low infection rate, according to the researchers.

In most cases, the campaign consists of a phishing email with a .ZIP attachment. The .CAB archive is then downloaded using a fake software application (bundled with a genuine software application), an injector, and a Trojan. The malware is concealed in a big file.

The software app is loaded, and the malware is encrypted using an XOR algorithm. Once installed, the app will create fake overlay windows for the target machine. The stolen credentials are sent to the malware’s command-and-control (C2) server.

Numando can also modify its configuration settings with the use of public services such as Pastebin and YouTube. It may also imitate mouse and keyboard movements, hijack PC shutdown and restart features, take screenshots, and kill browser activities.

The malicious videos discovered by the cybersecurity team were reported to Google, and the ones that were found were removed.

Numando doesn’t seem to show signs of continuous development. According to ESET, it occasionally makes minor changes, but overall the binaries do not change much.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.