Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings (see Figure 1), which inspired our naming of this malware family.Figure 1. Rsrc sections, while others utilize a separate Delphi DLL just for this storage.Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shutdown the machine, display overlay windows, take screenshots and kill browser processes. Some Numando variants store these images in an encrypted ZIP archive inside their. CharacteristicsAs with all the other Latin American banking trojans described in this series, Numando is written in Delphi and utilizes fake overlay windows to lure sensitive information out of its victims. Geographically, it focuses almost exclusively on Brazil with rare campaigns in Mexico and Spain.Based on our telemetry, its campaigns affect several hundred victims at most, making it considerably less successful than the most prevalent LATAM banking trojans such as Mekotio and Grandoreiro. Distribution and executionNumando is distributed almost exclusively by spam. There are some minor changes from time to time, but overall the binaries do not tend to change much. Numando collects the victimized machine’s Windows version and bitness.Unlike most of the other Latin American banking trojans covered in this series, Numando does not show signs of continuous development.
![]() ![]() Review Eset Cybersecurity Archive Inside TheirThis makes it difficult to decrypt the configuration without having the corresponding binary, however Numando does not change its decryption key very often, making decryption possible. Each entry is encrypted separately the same way as other strings in Numando – with the key hardcoded in the binary. Numando remote configuration on YouTubeThe format is simple – three entries delimited by “:” between the DATA: markers. The injector locates the payload and then decrypts it using a simple XOR algorithm with a multi-byte key, as in the overview of this process illustrated in Figure 2.Figure 7. If the potential victim executes the MSI, it eventually runs the legitimate application as well, and that side-loads the injector. This installer contains a CAB archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL. ![]()
0 Comments
Leave a Reply. |
Details
AuthorSanny ArchivesCategories |