There are multiple distinct banking Trojan families in Latin America, rather than one large group as has been previously believed, ESET researchers said at the Virus Bulletin 2020 conference.
ESET has been researching various Latin American banking Trojans and has “unmasked” Amavaldo, Casbaneiro, Mispadu, Guildma, Grandoreiro, and Mekotio over the past year. Analysis of Krachulka, Lokorrito, Numando, Vadokrist, and Zumanek are expected. These Trojans were originally considered as being part of one group of malware because of all the similarities, ESET said in its whitepaper published by Virus Bulletin. Evidence suggests that there are actually 11 malware families and the authors are in close cooperation with each other as they rely on the same attack techniques, make identical coding decisions, and employ similar distribution methods, ESET said.
“Since we don’t believe it to be possible that independent malware authors would come up with so many common ideas – and, moreover, since we don’t believe one group to be responsible for maintaining all these malware families – we must conclude that these are multiple threat actors closely cooperating with each other.” said Jakub Souček, one of the researchers working on Latin American financial cybercrime.
These malware families have also expanded their target region beyond Latin America to include Spain and Portugal.
ESET mapped the common techniques using the MITRE ATT&CK framework, and highlighted that phishing is the most common attack vector for Latin American banking Trojans, and they tend to use either fake pop-up windows or keyloggers to steal credentials. The authors rely on scripting languages, mainly VBScript, favor custom encryption algorithms over established ones, and obfuscate payloads and configuration data in some way. The malware uses DLL side-loading to execute additional payloads, maintains persistence on the infected systems by modifying the Registry Run key or using the Startup folder, and devotes “considerable effort” to collect screenshots and scan for security software. Finally, the malware does not exfiltrate all the data to a command and control server, but sends it to other locations, as well.
From a code perspective, these malware families share third-party libraries, “uncommon” string encryption algorithms, and string and binary obfuscation techniques. The vast majority of the families recently shifted from using binary obfuscation tool VMProtect to Themida, the researchers said.
“Most Latin American banking trojans use very simple, custom encryption schemes that are generally unknown in the broader programming community, and yet we see the same algorithm being used in six different families,” ESET wrote in its whitepaper.
The core functionality of these banking Trojan families are “practically identical,” as the malware collects information about the infected system, sends the information to a location distinct from the command-and-control server, and periodically scans active windows based on name or title looking for the one to attack. When that window is detected, the malware displays a fake pop-up window to lure victims into providing sensitive information.
“The binaries are so similar in their core functionality that it almost seems like they were built from one set of blueprints,” ESET said. “[We] also don’t believe there is one group of malware authors willingly maintaining 11 different pieces of malware with exactly the same logic and goal.”
The method of distribution was also similar across families, as the Trojans checked for a marker as to whether the machine had already been compromised before downloading Zip archives of data. Identical distribution chains distribute multiple banking Trojans, and the vast majority of them have started utilizing Windows Installer (MSI files) as their initial download method.
“We have never observed any of these chains distribute anything else other than the Latin American banking trojans we have analyzed. That is why we believe the authors of the families write the chains themselves and share information with each other,” ESET said.
The execution methods were also similar across families, as these Trojans “tend to bring their own tools” in the ZIP archives and use DLL side-loading to execute those applications, ESET said, dubbing the practice “Bring Your Own Vulnerable Software.” This means these tools don’t need to already be installed on the compromised system. ESET observed 22 legitimate applications being abused this way, such as security tools from G Data, Avast, Avira, and AVG as well as various Microsoft, Java, VirtualBox, and VMWare executables.
Such “tight collaboration between malware families that share the same goal, are region-specific and are in fact expected to be competitors,” was not expected, ESET said.