ESET released a report on banking Trojans in Latin America on Friday, which included Janeleiro, a new malware sample. Researchers note that this Janeleiro malware sample is similar to Casbaneiro, Grandoreiro, and Mekotio Trojans but this one is not limited to that region. Campaigns have been discovered in Spain, Mexico, and Brazil as well.
In a recent blog post, the cybersecurity experts also described the Trojan dubbed Numando, which has been active for several years. It shows fake overlay windows to trick victims into providing sensitive information, such as login passwords for banking institutions.
Like many banking Trojan variants, Numando is mainly distributed through spam and phishing campaigns. Although it is less successful than other banking Trojan variants, it is still an active threat in those regions. The lack of operators’ sophistication likely contributed to the low infection rate, according to the researchers.
In most cases, the campaign consists of a phishing email with a .ZIP attachment. The .CAB archive is then downloaded using a fake software application (bundled with a genuine software application), an injector, and a Trojan. The malware is concealed in a big file.
The software app is loaded, and the malware is encrypted using an XOR algorithm. Once installed, the app will create fake overlay windows for the target machine. The stolen credentials are sent to the malware’s command-and-control (C2) server.
Numando can also modify its configuration settings with the use of public services such as Pastebin and YouTube. It may also imitate mouse and keyboard movements, hijack PC shutdown and restart features, take screenshots, and kill browser activities.
The malicious videos discovered by the cybersecurity team were reported to Google, and the ones that were found were removed.
Numando doesn’t seem to show signs of continuous development. According to ESET, it occasionally makes minor changes, but overall the binaries do not change much.