Numando Banking Trojan

A banking Trojan dubbed Numando has been detected that abuses YouTube, Pastebin, and other public platforms in order to spread and control compromised machines. Sample similar to Casbaneiro, Grandoreiro, and Mekotio campaigns have been detected across Brazil, Mexico, and Spain.

Written in Delphi, this financial malware displays fake overlay windows to dupe victims into submitting sensitive data, such as the credentials used to access financial services. Spreads through spam and phishing campaigns.

A spam sent to distribute Numando are composed of a phishing message and a .ZIP attachment included with the email. A decoy .ZIP file is downloaded, together with an actual .ZIP file that contains a .CAB archive bundled with a legitimate software app an injector, and the Trojan. The malware is hidden in a large .BMP image file.

Once software app executed and installed, the injector is side-loaded and the malware is then decrypted using an XOR algorithm and a key and will create fake overlay windows when a victim visits financial services. If users submit their credentials, they are stolen and sent to the malware’s command-and-control (C2) server.

Numando also abuses public services including Pastebin and YouTube to manage its remote configuration settings.

The format is simple three entries delimited by “:” between the DATA:{ and } markers. Each entry is encrypted separately the same way as other strings in Numando with the key hardcoded in the binary. This makes it difficult to decrypt the configuration without having the corresponding binary.

Google was informed of the videos found by and the ones that have been detected have since been taken down.

Numando can simulate mouse clicks and keyboard actions, hijack PC shutdown and restart functions, take screenshots, and kill browser processes. Inspite of all this is less successful than other Latin American Trojans, including Mekotio and Grandoreiro. The operator’s lack of sophistication has contributed to a low infection rate.