BRATISLAVA, PRAGUE – ESET researchers have today published a white paper detailing their findings on the interconnected nature of Latin American banking trojan families. Even though Latin American banking trojans can be looked upon as one homogeneous group of malware, ESET reports that multiple distinct malware families can be recognized. At the same time, ESET researchers have discovered a surprising number of indicators of close cooperation among Latin American banking trojan authors. Despite the term “Latin American,” some of the trojans have been targeting Spain and Portugal since late last year. The white paper was first published during the VB2020 localhost conference.
“Over the past year, we have been publishing an ongoing blog post series about Latin American banking trojan families. These blog posts mainly focus on the most important and interesting aspects of these families,” says Jakub Souček, one of the researchers working on Latin American financial cybercrime. “At the VB conference, we looked at these families from a high-level perspective. Rather than examining details of each family and highlighting their unique characteristics, we focused on what they have in common.”
The first similarities ESET spotted were in the actual implementation of these banking trojans. The most obvious are the practically identical implementations of the banking trojans’ core functionalities and attack techniques via fake pop-up windows carefully designed to lure victims into providing sensitive information. Besides that, these malware families share third-party libraries, generally unknown string encryption algorithms, and both string and binary obfuscation techniques.
Other similarities can be observed in malware distribution. The trojans usually check for a marker used to indicate that the machine has already been compromised and download data in ZIP archives. ESET also observed identical distribution chains distributing several different payloads and shared execution methods.
“Additionally, different families use similar spam email templates in their latest campaigns, almost as if this was a coordinated move,” says Souček. “Since we don’t believe it to be possible that independent malware authors would come up with so many common ideas – and, moreover, since we don’t believe one group to be responsible for maintaining all these malware families – we must conclude that these are multiple threat actors closely cooperating with each other.”
For more technical details about this spyware, read the white paper “LATAM financial cybercrime: Competitors in crime sharing TTPs” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.