New Trojan attack targets Brazilian bank customers
Posted: Sun Jan 19, 2025 6:06 am
Slovakian information security firm ESET has identified a new type of banking Trojan that primarily targets online banking customers from banks in Mexico, Spain and, especially, Brazil. The criminals behind Numando operate through massive phishing campaigns.
Numando is described as a banking trojan, or Trojan horse malware, that seeks to collect credentials from online banking customers and their infected machines. Such trojans are delivered by a variety of mechanisms and exploit a range of vulnerabilities, increasingly incorporating additional functionality.
Total control
With Numando, criminals can hack into multiple devices and remotely albania whatsapp list the user's machine, doing whatever they want on the infected site. The attacks consist of using fake overlay windows, backdoor functionality, and abusing services like YouTube to store the Trojan's remote configuration.
Numando's backdoor capabilities allow it to simulate mouse and keyboard actions. In addition, they can reboot and shut down the machine, display overlay windows (preventing the user from taking actions), take screenshots, and kill browser processes.
Fake pop-up windows work to lure sensitive information from victims. This is what we call phishing (where criminals use fake pages and websites of financial institutions, such as banks).
Among its techniques, the banking Trojan uses seemingly useless ZIP files, but which usually contain a file that loads the Microsoft Installer program. This is what triggers the computer infection process.
Another technique used by criminals is to bundle payloads with “suspiciously” large BMP images. These BMP files are valid images that can be opened in most image viewers and editors without any problems.
The thief's camera
Luli Rosenberg, an ethical hacker and professor at CySource, an Israeli cybersecurity research and reference center, points out that the scammers behind the Trojan horse could steal credentials to break into bank accounts.
They can also access confidential data from large companies, capture personal files for extortion and blackmail. “There are many possibilities, it’s as if a burglar broke into a house and installed hidden cameras, tapped the phones and even made a hidden passage,” explains Rosenberg.
“It is the only Trojan horse focused on banks in Latin America written in the Delphi language, but with an injector that was not developed in that same programming language. The malware also takes advantage of well-known sites such as YouTube and Pastebin (aimed at programmers) to store its settings,” he reveals.
A Trojan against Brazil
Numando is distributed almost exclusively through phishing, mass messages pretending to be from banks or debt collection agencies. If you receive attachments by email, especially in ZIP format, it is essential to carefully analyze whether you were expecting the message and whether it is within the expected time frame.
If you have any questions, you should contact the person who sent you the message directly, through another communication channel. Preferably, by telephone, to confirm the legitimacy of the message.
“It is also important to raise awareness among as many people as possible to stop this type of attack by understanding how these attacks occur. Another key point is that the platforms used by these hackers implement active scanning mechanisms and protection against this type of exploitation,” says the CySource professor.
Numando is described as a banking trojan, or Trojan horse malware, that seeks to collect credentials from online banking customers and their infected machines. Such trojans are delivered by a variety of mechanisms and exploit a range of vulnerabilities, increasingly incorporating additional functionality.
Total control
With Numando, criminals can hack into multiple devices and remotely albania whatsapp list the user's machine, doing whatever they want on the infected site. The attacks consist of using fake overlay windows, backdoor functionality, and abusing services like YouTube to store the Trojan's remote configuration.
Numando's backdoor capabilities allow it to simulate mouse and keyboard actions. In addition, they can reboot and shut down the machine, display overlay windows (preventing the user from taking actions), take screenshots, and kill browser processes.
Fake pop-up windows work to lure sensitive information from victims. This is what we call phishing (where criminals use fake pages and websites of financial institutions, such as banks).
Among its techniques, the banking Trojan uses seemingly useless ZIP files, but which usually contain a file that loads the Microsoft Installer program. This is what triggers the computer infection process.
Another technique used by criminals is to bundle payloads with “suspiciously” large BMP images. These BMP files are valid images that can be opened in most image viewers and editors without any problems.
The thief's camera
Luli Rosenberg, an ethical hacker and professor at CySource, an Israeli cybersecurity research and reference center, points out that the scammers behind the Trojan horse could steal credentials to break into bank accounts.
They can also access confidential data from large companies, capture personal files for extortion and blackmail. “There are many possibilities, it’s as if a burglar broke into a house and installed hidden cameras, tapped the phones and even made a hidden passage,” explains Rosenberg.
“It is the only Trojan horse focused on banks in Latin America written in the Delphi language, but with an injector that was not developed in that same programming language. The malware also takes advantage of well-known sites such as YouTube and Pastebin (aimed at programmers) to store its settings,” he reveals.
A Trojan against Brazil
Numando is distributed almost exclusively through phishing, mass messages pretending to be from banks or debt collection agencies. If you receive attachments by email, especially in ZIP format, it is essential to carefully analyze whether you were expecting the message and whether it is within the expected time frame.
If you have any questions, you should contact the person who sent you the message directly, through another communication channel. Preferably, by telephone, to confirm the legitimacy of the message.
“It is also important to raise awareness among as many people as possible to stop this type of attack by understanding how these attacks occur. Another key point is that the platforms used by these hackers implement active scanning mechanisms and protection against this type of exploitation,” says the CySource professor.