The ESET security researchers found a new banking malware program named "Nomando“.
Nomando, written in Delphi, uses fake overlay windows to obtain sensitive data from its victims. These images are stored by some Numando variants inside .rsrc files, while others make use of a separate Delphi DLL to store them.
How it Works?
Nomando is a malware program written in Delphi for Latin American banks. Primarily targeting Brazil, but there are some campaigns in Mexico and Spain as well. Using fake overlay windows, containing backdoor functionality, and using a MSI file.
Numando’s backdoor capabilities include simulating mouse and keyboard actions, restarting and shutting down the machine, creating overlay screens, taking screenshots, and killing browser processes.
“Numando brings interesting new techniques to the pool of Latin American banking trojans’ tricks, like using seemingly useless ZIP archives or bundling payloads with decoy BMP images,” ESET researchers said in a technical analysis published on Friday.
Also See: 4 Essential Cybersecurity Tips For 2021
How it is Distributed?
Numando malware program is distributed through spam. Based on telemetry data, its campaigns affect several hundred victims at most, making it considerably less successful than the most prevalent LATAM banking trojans such as Mekotio and Grandoreiro. Each spam message contains a ZIP attachment containing an MSI installer.
Installer contains an encrypted Numando banking malware program DLL, injector, and CAB archive containing a legitimate application. If the victim executes the MSI, it eventually runs the legitimate application as well, and that side-loads the injector.
Numondo uses public services such as YouTube and Pastebin to store its remote configuration. In response to ESET’s notification, Google took down the malicious videos right away.
Also See: What Is Malware And How To Protect Against It
In May 2021, TeaBot Android Banking malware program Found In Europe. Once it downloaded, it try to installed as an Android Service. The feature is abused by TeaBot to hide itself.
