Numando Banking Trojan

Numando Banking Trojan Description

A new report has shed light on yet another banking Trojan from Latin America. The threat is named Numando, and it has been used in attack campaigns since at least 2018. While the Numando operations have been mainly focused on Brazil, occasion campaigns also have been carried out in other territories, such as Mexico and Spain. Although the threat actors employ several novel techniques and tactics, such as using YouTube video for remote configuration, the success rate of Numando has remained low due to the relative lack of sophistication.

The Attack Chain

The attack begins with the dissemination of spam emails and phishing messages. The corrupted emails contain a bait message and a.ZIP attachment. The archive contains a legitimate application, an injector and Numando's payload. When the victim launches the legitimate program, it side-loads the injector and leads to the execution of the malware. In another variation of the attack chain, the unsafe payload is injected into a BMP image and extracted subsequently. Despite being large suspiciously, this BMP image is perfectly valid and can be opened in numerous image editors and viewed without any problems. The detected images often include the logos of legitimate software products and companies such as Avast and Java.

The Threatening Capabilities

The main functionality of Numando is consistent with all the other banking Trojans from the region - by generating overlays over legitimate banking and payment applications it tries to collect the victim's account credentials and banking information. In addition, the malware threat can simulate mouse and keyboard inputs, force the infected system to restart or shut down, take arbitrary screenshots and kill browser processes. 

Unlike many of the other banking Trojans from the Latin America region, Numando doesn't appear to be in active development. The discovered versions and samples do show some minor changes that have been introduced over time but there have been no major improvements or additions. 

Remote Configuration via YouTube Videos

The most striking characteristic of Numando is the use of public platforms such as YouTube, Pastebin, and others, for remote configuration. The YouTube videos included information that follows a specific pattern recognized by the threat. The string begins with 'DATA:{' followed by three entries separated with ':' before a closing '}' character. After being notified by the infosec researchers tracking the threat, Google has taken down the video involved in the harmful campaigns.