The threat actor behind this malware family has been active since at least 2018. Like the other Latin American banking Trojans described in this series, Numando is written in Delphi and uses fake overlays to steal confidential information from its victims. Some variants of Numando store these images in an encrypted ZIP file within their .rsrc sections, while others use a separate Delphi DLL for just this storage.
Numando backdoor capabilities allow you to simulate mouse and keyboard actions, reboot and shut down the machine, display overlapping windows, take screenshots, and kill browser processes. However, unlike other Latin American banking Trojans, the commands are defined as numbers rather than strings, which inspired the way we decided to name this malware family.
This financial malware displays fake overlays to trick victims into submitting sensitive data, such as credentials used to access financial services. As is the case with many variants of banking Trojans, Numando spreads almost “exclusively” through spam and phishing campaigns.
Luckily for us, this threat lacks sophistication and the operator may have contributed to a low infection rate. In recent campaigns, the spam sent to distribute Numando consists of a phishing message and a .ZIP attachment included with the email, we must bear in mind that when it is downloaded, it downloads a decoy .ZIP file, along with a Actual .ZIP file containing a .CAB file, bundled with a legitimate software application, an injector, and the Trojan.
It seems that unlike most other Latin American banking Trojans, numando shows no signs of continued development.You may see some minor changes from time to time, but in general binaries don’t tend to change much, we’ll see what happens. in the future with this Trojan.
Other reads:
Cinobi banking Trojan targeting users in Japan
Tetrade family of banking Trojans
