Skip to content

ESET Research: Latin American banking trojans spread to Europe at the height of activity

  • Latin American banking trojans are an ongoing, evolving threat and ESET has recently seen some of their biggest campaigns to date.
  • They target mainly Brazil, Spain, and Mexico.
  • Mekotio and Grandoreiro expanded to Europe, mainly targeting Spain but also Italy, France and Belgium.
  • There are at least eight different malware families still active.
  • In June this year, Spanish law enforcement arrested 16 people related to Mekotio and Grandoreiro.
  • The vast majority (90%) are distributed via spam.


BRATISLAVA, PRAGUE — December 15, 2021 — ESET Research is concluding today its blogpost series dedicated to demystifying Latin American banking trojans started in August 2019. Since then, it has covered the most active ones, namely Amavaldo, Casbaneiro,Mispadu, Guildma, Grandoreiro, Mekotio, Vadokrist, Ousaban and Numando. Latin American banking trojans share a lot of common characteristics and behavior. Altogether, ESET has identified a dozen different malware families, most of which remain active to this day. The most significant discovery during the course of this investigation is the expansion of Mekotio and Grandoreiro to Europe, mainly Spain. ESET researchers have also observed occasional small campaigns targeting Italy, France and Belgium. Since Latin American banking trojans expanded to Europe, they have been getting more attention from both researchers and police forces. In the last few months, ESET has seen some of their biggest campaigns to date.

ESET telemetry shows a surprisingly large increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent months, leading to the conclusion that the threat actors behind these malware families are determined to continue their nefarious actions against users in targeted countries.

The campaigns we see always come in waves and more than 90% of them are distributed through spam, usually leading to a ZIP archive or an MSI installer. One campaign usually lasts for a week at most.

“Brazil is still the most targeted country, followed by Spain and Mexico. Since 2020, Grandoreiro and Mekotio expanded to Europe – mainly Spain. What started as several minor campaigns, likely to test the new territory, evolved into something much bigger. In fact, in August and September 2021, Grandoreiro launched its largest campaign so far and it targeted Spain,” says ESET researcher Jakub Souček, who leads the investigation into Latin American banking trojans.

In June this year, Spanish law enforcement arrested 16 people related to Mekotio and Grandoreiro. In the report, police state that almost €300,000 were stolen and they were able to block the transfer of a total of €3.5 million. Correlating this arrest with Latin American banking trojan activity in Spain, Mekotio seems to have taken a much larger hit than Grandoreiro, leading ESET to believe that the arrested people were more connected to Mekotio. Even though Mekotio went very quiet for almost two months after the arrest, ESET continues to see new campaigns distributing Mekotio.

Latin American banking trojans used to change rapidly. In the early days of ESET’s tracking, some of them were adding to or modifying their core features even several times a month. Nowadays they still change very often, but the core seems to remain mostly untouched. Due to the partially stabilized development, we believe the operators are now focusing on improving distribution.

“Latin American banking trojans require a lot of conditions to attack successfully,” explains Souček. “Potential victims need to follow steps required to install the malware on their machines; they need to visit a targeted website and log into their accounts. On the other side, operators need to react to this situation by manually commanding the malware to display the fake pop-up window and take control of the victim’s machine.”

During the course of this research series, several Latin American banking trojans became inactive, namely, Krachulka, Lokorrito and Zumanek. ESET researchers also discovered Janeleiro, a new Latin American banking trojan. In the future, ESET expects we may see some of these banking trojans expanding to the Android platform.

For more technical details about these Latin American banking trojans, read the blogpost “The dirty dozen of Latin America: From Amavaldo to Zumanek” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

 Top three countries most affected by Latin American banking trojans

Latin American banking trojan activity worldwide

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.



Click one of our contacts below to chat on WhatsApp