ESET discovers close cooperation among LATAM banking trojan families


Share

ESET researchers have published a white paper detailing their findings on the interconnected nature of Latin American banking trojan families. Even though Latin American banking trojans can be looked upon as one homogenous group of malware, ESET reports that multiple distinct malware families can be recognized. At the same time, ESET researchers have discovered a surprising number of indicators of close cooperation among Latin American banking trojan authors. Despite the term “Latin American,” some of the trojans have been targeting Spain and Portugal since late last year. The white paper was first published during the VB2020 localhost conference.

“Over the past year, we have been publishing an ongoing blog post series about Latin American banking trojan families. These blog posts mainly focus on the most important and interesting aspects of these families,” says Jakub Souček, one of the researchers working on Latin American financial cybercrime. “At the VB conference, we looked at these families from a high-level perspective. Rather than examining details of each family and highlighting their unique characteristics, we focused on what they have in common.”

The first similarities ESET spotted were in the actual implementation of these banking trojans. The most obvious are the practically identical implementations of the banking trojans’ core functionalities and attack techniques via fake pop-up windows carefully designed to lure victims into providing sensitive information. Besides that, these malware families share third-party libraries, generally unknown string encryption algorithms, and both string and binary obfuscation techniques.

Other similarities can be observed in malware distribution. The trojans usually check for a marker used to indicate that the machine has already been compromised and download data in ZIP archives. ESET also observed identical distribution chains distributing several different payloads and shared execution methods.

“Additionally, different families use similar spam email templates in their latest campaigns, almost as if this was a coordinated move,” says Souček. “Since we don’t believe it to be possible that independent malware authors would come up with so many common ideas – and, moreover, since we don’t believe one group to be responsible for maintaining all these malware families – we must conclude that these are multiple threat actors closely cooperating with each other.”

For more technical details about this spyware, read the white paper “LATAM financial cybercrime: Competitors in crime sharing TTPs” on WeLiveSecurity.