The grand finale of our series dedicated to demystifying Latin American banking trojans
ESET started this blogpost series dedicated to demystifying Latin American banking trojans in August 2019. Since then, we have covered the most active ones, namely Amavaldo, Casbaneiro, Mispadu, Guildma, Grandoreiro, Mekotio, Vadokrist, Ousaban and Numando. Latin American banking trojans share a lot of common characteristics and behavior – a topic ESET has dedicated a white paper to. Therefore, in the series, we have focused on the unique features of each malware family to help distinguish one from the other.
Latin American banking trojans are an ongoing, evolving threat
They target mainly Brazil, Spain, and Mexico
There are at least eight different malware families still active at the time of this writing
Three families went dormant during the course of this series so did not get their own blogpost, but we briefly describe their main features here
The vast majority are distributed via spam, usually leading to a ZIP archive or an MSI installer
Besides Amavaldo, which became dormant around November 2020, all the other families remain active to this day. Brazil is still the most targeted country, followed by Spain and Mexico (see Figure 1). Since 2020, Grandoreiro and Mekotio expanded to Europe – mainly Spain. What started as several minor campaigns, likely to test the new territory, evolved into something much grander. In fact, in August and September 2021, Grandoreiro launched its largest campaign so far and it targeted Spain (see Figure 2).
The other instalments of our series on Latin American banking trojans:
From Carnaval to Cinco de Mayo – The journey of Amavaldo
Casbaneiro: Dangerous cooking with a secret ingredient
Mispadu: Advertisement for a discounted Unhappy Meal
Guildma: The Devil drives electric
Grandoreiro: How engorged can an EXE get?
Mekotio: These aren’t the security updates you’re looking for…
Vadokrist: A wolf in sheep’s clothing
Ousaban: Private photo collection hidden in a CABinet
Numando: Count once, code twice
While Grandoreiro remains dominant in Spain, Ousaban and Casbaneiro dominated Brazil in the latest months, as illustrated by Figure 3. Mispadu seems to have shifted its focus almost exclusively to Mexico, occasionally accompanied by Casbaneiro and Grandoreiro, as seen in Figure 4.
Latin American banking trojans used to change rapidly. In the early days of our tracking, some of them were adding to or modifying their core features several times a month. Nowadays they still change very often, but the core seems to remain mostly untouched. Due to the partially stabilized development, we believe the operators are now focusing on improving distribution.
The campaigns we see always come in waves and more than 90% of them are distributed through spam. One campaign usually lasts for a week at most. In Q3 and Q4 2021, we have seen Grandoreiro, Ousaban and Casbaneiro increasing their reach enormously compared to their previous activity, as illustrated in Figure 5.
Latin American banking trojans require a lot of conditions to attack successfully:
Potential victims need to follow steps required to install the malware on their machines
Victims need to visit a targeted website and log into their accounts
Operators need to react to this situation and manually command the malware to display the fake pop-up window and take control of the victim’s machine
Victims need to not suspect malicious activity and possibly even enter an authentication code in the case of 2FA
That said, it is hard to estimate the impact of these banking trojans just based on telemetry. However, in June this year, we were able to get a picture when Spanish law enforcement arrested 16 people related to Mekotio and Grandoreiro.
In the report, police state that almost €300,000 were stolen and they were able to block the transfer of a total of €3.5 million. Correlating this arrest with Figure 2, we see that Mekotio seems to have taken a much larger hit than Grandoreiro, leading us to believe that the arrested people were more connected to Mekotio. Even though Mekotio went very quiet for almost two months after the arrest, ESET continues to see new campaigns distributing Mekotio at the time of writing.
For reference purposes, back in 2018, Brazilian police forces arrested a criminal behind another banking trojan in what was called Operation Ostentation. They estimated that he had been able to steal approximately US$400 million from victims in Brazil.
Families we didn’t cover
During the course of our series, several Latin American banking trojans became inactive. While we had planned to dedicate separate pieces to them, since they have been inactive for over a year now, we will just briefly mention them in the sections below. We also provide IoCs for them at the end of this blogpost.
This malware family was active in Brazil until the middle of 2019. Its most noticeable characteristic was its usage of well-known cryptographic methods to encrypt strings, as opposed to the majority of Latin American banking trojans that mainly use custom encryption schemes, some of which are shared across these families. We have observed Krachulka variants using AES, RC2, RC4, 3DES and a slightly customized variant of Salsa20.
Krachulka, despite being written in Delphi like most other Latin American banking trojans, was distributed by a downloader written in the Go programming language – another unique characteristic among this kind of banking malware (see Figure 6).
This malware family was active mainly in Mexico until the beginning of 2020. We were able to identify additional builds, each dedicated to target a different country – Brazil, Chile and Colombia.
The most identifying feature of Lokorrito is its usage of a custom User-Agent string in network communication (see Figure 7). We have observed two values – LA CONCHA DE TU MADRE and 4RR0B4R 4 X0T4 D4 TU4 M4E, both quite vulgar expressions in Spanish and Portuguese, respectively.
We have identified several additional Lokorrito-related modules. First, a backdoor, which basically functions like a simplified version of the banking trojan without the support for fake overlay windows. We believe it was installed in some Lokorrito campaigns first and, only if the attacker saw fit, it was updated to the actual banking trojan. Then, a spam tool, which generates spam emails distributing Lokorrito and sending them to further potential victims. The tool generated the emails based on both hardcoded data and data obtained from a C&C server. Finally, we identified a simple infostealer designed to steal the victim’s Outlook address book and a password stealer intended to harvest Outlook and FileZilla credentials.
This malware family was active exclusively in Brazil until the middle of 2020. It was the first Latin American banking trojan malware family ESET identified. In fact, ESET analyzed one variant in 2018 here (in Portuguese).
Zumanek is identified by its method for obfuscating strings. It creates a function for each character of the alphabet and then concatenates the result of calling the correct functions in sequence, as illustrated in Figure 8.
Interestingly, Zumanek never utilized any complicated payload execution methods. Its downloaders simply downloaded a ZIP archive containing only the banking trojan executable, usually named drive2. The executable was very often protected by either the VMProtect or Armadillo packer.
We think with low confidence that Ousaban may actually be the successor of Zumanek. Even though the two malware families don’t seem to share any code similarities, their remote configuration format uses very similar delimiters (see Figure 9). Additionally, we have observed several servers used by Ousaban that looked very much like those used by Zumanek in the past.
Since Latin American banking trojans expanded to Europe, they have been getting more attention from both researchers and police forces. In the latest months, we’ve seen some of their biggest campaigns to date.
ESET researchers also discovered Janeleiro, a Latin American banking trojan written in .NET. Additionally, we may see some of these banking trojans expanding to the Android platform. In fact, one such banking trojan, Ghimob, has already been attributed to the threat actor behind Guildma. However, since we continue to see the developers actively improving their Delphi binaries, we believe they will not just abandon their current arsenal.
Even though many Latin American banking trojans are somewhat cumbersome and overcomplicated in their implementation, they represent a different approach to attacking victims’ bank accounts. Opposed to the most notorious banking trojans of the recent past, they don’t inject the web browser, nor do they need to find ways to webinject a certain banking website. Instead, they design a pop-up window – likely a much faster and easier process. The threat actors already have templates at their disposal that they easily modify for different financial institutions (see Figure 10). That is their main advantage.
The main disadvantage is that there is very little to no automation in the attack process – without active participation of the attacker, the banking trojan will do almost no harm. Whether some new kind of malware will try to automate this approach remains a question for the future.
In our series, we have presented the most active Latin American banking trojans of the past few years. We have identified a dozen different malware families, most of which remain active at the time of this writing. We have identified their unique features as well as their many commonalities.
The most significant discovery during the course of our series is likely the expansion of Mekotio and Grandoreiro to Europe. Besides Spain, we’ve observed occasional small campaigns targeting Italy, France and Belgium. We believe these banking trojans will continue to test new territories for future expansion.
Our telemetry shows a surprisingly large increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent months, leading us to conclude the threat actors behind these malware families are determined to continue their nefarious actions against users in targeted countries. ESET will continue to track these banking trojans and keep users safe from these threats.
For any inquiries, contact us as firstname.lastname@example.org. Indicators of Compromise for all the mentioned malware families can also be found on our GitHub repository.
Indicators of Compromise (IoCs)
SHA-1DescriptionESET detection name
83BCD611F0FD4D7D06C709BC5E26EB7D4CDF8D01Krachulka banking trojanWin32/Spy.Krachulka.C
FFE131ADD40628B5CF82EC4655518D47D2AB7A28Krachulka banking trojanWin32/Spy.Krachulka.C
4484CE3014627F8E2BB7129632D5A011CF0E9A2AKrachulka banking trojanWin32/Spy.Krachulka.A
20116A5F01439F669FD4BF77AFEB7EFE6B2175F3Krachulka Go downloaderWin32/TrojanDownloader.Banload.YJA
SHA-1DescriptionESET detection name
4249AA03E0F5142821DB2F1A769F3FE3DB63BE54Lokorrito banking trojanWin32/Spy.Lokorrito.L
D30F968741D4023CD8DAF716C78510C99A532627Lokorrito banking trojanWin32/Spy.Lokorrito.A
6837d826fbff3d81b0def4282d306df2ef59e14aLokorrito banking trojanWin32/Spy.Lokorrito.L
2F8F70220A9ABDCAA0868D274448A9A5819A3EBCLokorrito backdoor moduleWin32/Spy.Lokorrito.S
0066035B7191ABB4DEEF99928C5ED4E232428A0DLokorrito backdoor moduleWin32/Spy.Lokorrito.R
B29BB5DB1237A3D74F9E88FE228BE5A463E2DFA4Lokorrito backdoor moduleWin32/Spy.Lokorrito.M
SHA-1DescriptionESET detection name
69FD64C9E8638E463294D42B7C0EFE249D29C27EZumanek banking trojanWin32/Spy.Zumanek.DO
59C955C227B83413B4BDF01F7D4090D249408DF2Zumanek banking trojanWin32/Spy.Zumanek.DK
4E49D878B13E475286C59917CC63DB1FA3341C78Zumanek banking trojanWin32/Spy.Zumanek.DK
2850B7A4E6695B89B81F1F891A48A3D34EF18636Zumanek downloader (MSI)Win32/Spy.Zumanek.DN
C936C3A661503BD9813CB48AD725A99173626AAEZumanek downloader (MSI)Win32/Spy.Zumanek.DM
MITRE ATT&CK techniques
We have created a MITRE ATT&CK table showing a comparison of the techniques used by the Latin American banking trojans featured in this series. It was released as part of our white paper dedicated to examining the many similarities between these banking trojans and can be found here.