The dirty dozen of Latin America: From Amavaldo to Zumanek

Besides Amavaldo, which became dormant, all the other families remain active to this day.
Brazil is still the most targeted country, followed by Spain and Mexico.
Grandoreiro and Mekotio expanded to Europe – mainly Spain.
What started as several minor campaigns, likely to test the new territory, evolved into something much grander.
Latin American banking trojans used to change rapidly.
In the early days of tracking, some of them were adding to or modifying their core features several times a month.
Nowadays they still change very often, but the core seems to remain mostly untouched.
Due to the partially stabilized development, researchers believe the operators are now focusing on improving distribution.

The campaigns researchers see always come in waves and more than 90% of them are distributed through spam.
One campaign usually lasts for a week at most. Previously, researchers have seen Grandoreiro, Ousaban and Casbaneiro increasing their reach enormously compared to their previous activity,
Latin American banking trojans require a lot of conditions to attack successfully:

– Potential victims need to follow steps required to install the malware on their machines
– Victims need to visit a targeted website and log into their accounts
– Operators need to react to this situation and manually command the malware to display the fake pop-up window and take control of the victim’s machine
– Victims need to not suspect malicious activity and possibly even enter an authentication code in the case of 2FA

Krachulka
This malware family was active in Brazil.
Its most noticeable characteristic was its usage of well-known cryptographic methods to encrypt strings, as opposed to the majority of Latin American banking trojans that mainly use custom encryption schemes, some of which are shared across these families.
Researchers have observed Krachulka variants using AES, RC2, RC4, 3DES and a slightly customized variant of Salsa20.

Krachulka, despite being written in Delphi like most other Latin American banking trojans, was distributed by a downloader written in the Go programming language – another unique characteristic among this kind of banking malware.
Lokorrito

Researchers were able to identify additional builds, each dedicated to target a different country – Brazil, Chile and Colombia.
The most identifying feature of Lokorrito is its usage of a custom User-Agent string in network communication.
Researchers have observed two values – LA CONCHA DE TU MADRE and 4RR0B4R 4 X0T4 D4 TU4 M4E, both quite vulgar expressions in Spanish and Portuguese, respectively.
Researchers have identified several additional Lokorrito-related modules.
First, a backdoor, which basically functions like a simplified version of the banking trojan without the support for fake overlay windows.
Researchers believe it was installed in some Lokorrito campaigns first and, only if the attacker saw fit, it was updated to the actual banking trojan.
Then, a spam tool, which generates spam emails distributing Lokorrito and sending them to further potential victims.
The tool generated the emails based on both hardcoded data and data obtained from a C&C server.
Finally, researchers identified a simple infostealer designed to steal the victim’s Outlook address book and a password stealer intended to harvest Outlook and FileZilla credentials.

Zumanek
This malware family was active exclusively in Brazil.
It was the first Latin American banking trojan malware family ESET identified.

Zumanek is identified by its method for obfuscating strings.
It creates a function for each character of the alphabet and then concatenates the result of calling the correct functions in sequence.

Sign Up For Threat Alerts

Loading...
Threats Icon

Aug 11, 2022

Cisco Talos shares insights related to recent...

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco...

Threats Icon

Aug 11, 2022

Andariel deploys DTrack and Maui ransomware

The CISA published an alert, entitled, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware To...

Threats Icon

Aug 09, 2022

Albanian Government Organizations Targeted By Possible Iranian...

Mandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government...

Threats Icon

Aug 08, 2022

BumbleBee Roasts Its Way to Domain Admin

Threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that...

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...

Threats Icon

Jul 24, 2022

Redeemer Ransomware

Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...

Threats Icon

Jul 21, 2022

Cobalt Strikes again: UAC-0056 continues to target...

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that...