Latin American banking Trojans are an ever-evolving threat, and ESET has recently observed some of their largest campaigns to date. They mainly affect Brazil, Spain and Mexico. Mekotio and Grandoreiro have expanded into Europe, also targeting Italy, France and Belgium.
ESET, a global leader in the cybersecurity market, has concluded its investigation dedicated to debunking Latin American banking Trojans that began in August 2019. Since then, it has examined the most active ones, namely Vavals, Casbaneiro, Mispadu, Guildma, Grandoreiro, Mekotio, Vadokrist, Ousaban e Numando, which share many characteristics and behaviors with each other. Overall, ESET has identified a dozen different malware families, most of which are still active. The most important discovery that occurred during this investigation is the expansion of Mekotio and Grandoreiro in Europe, especially in Spain; this is accompanied by occasional small campaigns that have been observed by ESET researchers in Italy, France and Belgium. Since they have expanded into Europe, and this has happened increasingly in recent months, Latin American banking Trojans have gained more and more attention from both researchers and police forces
ESET telemetry shows a surprising increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent months, suggesting that the threat actors behind these malware families are determined to continue their malicious actions against users in the target countries.
It has been found that these campaigns always come in waves and more than 90% of them are distributed through spam and are typically targeted at a ZIP archive or MSI installer. A campaign usually lasts a maximum of one week.
"Brazil is still the most targeted country, followed by Spain and Mexico. Since 2020, Grandoreiro and Mekotio have expanded into Europe – mainly Spain. What started with several smaller campaigns, probably to test new territory, has evolved into something much bigger. In fact, in August and September 2021, Grandoreiro launched its largest campaign yet and targeted Spain," he explained Jakub Souček, researcher at ESET leading investigations into Latin American banking Trojans.
In June 2021 the Spanish law enforcement agencies have arrested 16 people linked to Mekotio and Grandoreiro. The police specified that almost 300,000 euros were stolen, but that it was possible to block the transfer of a total of 3.5 million euros. Correlating this arrest with the activity of Latin American banking Trojans in Spain, it would appear that the arrested people were linked to Mekotio, although ESET detected further movements.
Latin American banking Trojans tend to change quickly. In the early days of monitoring ESET, some of them added or changed key features even several times a month. Today they still change very often, but the core seems to remain mostly intact. Precisely because of a partially stabilized development, ESET believes that operators are now focusing on improving distribution.
“Latin American banking Trojans require many conditions to be met for the attack to be successful,” says Souček. "Potential victims have to follow the necessary steps to install the malware on their machines; they have to visit a targeted website and log in to their accounts. On the other hand, the operators have to react to this situation by manually guiding the malware to display the fake pop-up window and take control of the victim's machine."
During this series of searches, several Latin American banking Trojans became inactive, most notably Krachulka, Lokorrito, and Zumanek. Recently, ESET researchers also discovered window, a new Latin American banking trojan. In the future, ESET plans to expand some of these banking Trojans to the Android platform.
More technical details on Latin American banking Trojans, at this link “Latin America's Dirty Dozen: From Amavaldo to Zumanek” su WeLiveSecurity.
