{"id":8269,"date":"2021-12-15T12:00:00","date_gmt":"2021-12-15T10:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2021\/12\/15\/the-dirty-dozen-of-latin-america-from-amavaldo-to-zumanek\/"},"modified":"2021-12-15T12:00:00","modified_gmt":"2021-12-15T10:00:00","slug":"the-dirty-dozen-of-latin-america-from-amavaldo-to-zumanek","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2021\/12\/15\/the-dirty-dozen-of-latin-america-from-amavaldo-to-zumanek\/","title":{"rendered":"The dirty dozen of Latin America: From Amavaldo to Zumanek"},"content":{"rendered":"<p>ESET started this blogpost series dedicated to demystifying Latin American banking trojans in August 2019. Since then, we have covered the most active ones, namely <a href=\"https:\/\/www.welivesecurity.com\/2019\/08\/01\/banking-trojans-amavaldo\/\">Amavaldo<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2019\/10\/03\/casbaneiro-trojan-dangerous-cooking\/\">Casbaneiro<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2019\/11\/19\/mispadu-advertisement-discounted-unhappy-meal\/\">Mispadu<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2020\/03\/05\/guildma-devil-drives-electric\/\">Guildma<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2020\/04\/28\/grandoreiro-how-engorged-can-exe-get\/\">Grandoreiro<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2020\/08\/13\/mekotio-these-arent-the-security-updates-youre-looking-for\/\">Mekotio<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2021\/01\/21\/vadokrist-wolf-sheeps-clothing\/\">Vadokrist<\/a>, <a href=\"https:\/\/www.welivesecurity.com\/2021\/05\/05\/ousaban-private-photo-collection-hidden-cabinet\/\">Ousaban<\/a> and <a href=\"https:\/\/www.welivesecurity.com\/2021\/09\/17\/numando-latam-banking-trojan\/\">Numando<\/a>. Latin American banking trojans share a lot of common characteristics and behavior \u2013 a topic ESET has dedicated a <a href=\"https:\/\/www.welivesecurity.com\/2020\/10\/01\/latam-financial-cybercrime-competitors-crime-sharing-ttps\/\">white paper<\/a> to. Therefore, in the series, we have focused on the unique features of each malware family to help distinguish one from the other.<\/p>\n<h2>Key takeaways<\/h2>\n<ul>\n<li>Latin American banking trojans are an ongoing, evolving threat<\/li>\n<li>They target mainly Brazil, Spain, and Mexico<\/li>\n<li>There are at least eight different malware families still active at the time of this writing<\/li>\n<li>Three families went dormant during the course of this series so did not get their own blogpost, but we briefly describe their main features here<\/li>\n<li>The vast majority are distributed via spam, usually leading to a ZIP archive or an MSI installer<\/li>\n<\/ul>\n<h2>Current state<\/h2>\n<p>Besides Amavaldo, which became dormant around November 2020, all the other families remain active to this day. Brazil is still the most targeted country, followed by Spain and Mexico (see Figure 1). Since 2020, Grandoreiro and Mekotio expanded to Europe \u2013 mainly Spain. What started as several minor campaigns, likely to test the new territory, evolved into something much <em>grander<\/em>. In fact, in August and September 2021, Grandoreiro launched its largest campaign so far and it targeted Spain (see Figure 2).<\/p>\n<p><span><\/p>\n<p><em><strong> The other instalments of our series on Latin American banking trojans: <\/strong><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2019\/08\/01\/banking-trojans-amavaldo\/\">From Carnaval to Cinco de Mayo \u2013 The journey of Amavaldo<\/a><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2019\/10\/03\/casbaneiro-trojan-dangerous-cooking\/\">Casbaneiro: Dangerous cooking with a secret ingredient<\/a><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2019\/11\/19\/mispadu-advertisement-discounted-unhappy-meal\/\">Mispadu: Advertisement for a discounted Unhappy Meal<\/a><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2020\/03\/05\/guildma-devil-drives-electric\/\">Guildma: The Devil drives electric<\/a><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2020\/04\/28\/grandoreiro-how-engorged-can-exe-get\/\">Grandoreiro: How engorged can an EXE get?<\/a><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2020\/08\/13\/mekotio-these-arent-the-security-updates-youre-looking-for\/\">Mekotio: These aren\u2019t the security updates you\u2019re looking for\u2026<\/a><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2021\/01\/21\/vadokrist-wolf-sheeps-clothing\/\">Vadokrist: A wolf in sheep\u2019s clothing<\/a><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2021\/05\/05\/ousaban-private-photo-collection-hidden-cabinet\/\">Ousaban: Private photo collection hidden in a CABinet<\/a><\/em><br \/>\n<em><a href=\"https:\/\/www.welivesecurity.com\/2021\/09\/17\/numando-latam-banking-trojan\/\">Numando: Count once, code twice<\/a><\/em>\n<\/p>\n<p><\/span><\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-1.-Top-three-countries-most-affected-by-Latin-American-banking-trojans.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"381\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-1.-Top-three-countries-most-affected-by-Latin-American-banking-trojans.png\" width=\"800\"><\/a><\/p>\n<p><em>Figure 1. Top three countries most affected by Latin American banking trojans<\/em><\/p>\n<\/div>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-2.-LATAM-banking-trojan-activity-in-Spain.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"381\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-2.-LATAM-banking-trojan-activity-in-Spain.png\" width=\"800\"><\/a><\/p>\n<p><em>Figure 2. LATAM banking trojan activity in Spain<\/em><\/p>\n<\/div>\n<p>While Grandoreiro remains dominant in Spain, Ousaban and Casbaneiro dominated Brazil in the latest months, as illustrated by Figure 3. Mispadu seems to have shifted its focus almost exclusively to Mexico, occasionally accompanied by Casbaneiro and Grandoreiro, as seen in Figure 4.<\/p>\n<\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-3.-LATAM-banking-trojan-activity-in-Brazil.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"381\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-3.-LATAM-banking-trojan-activity-in-Brazil.png\" width=\"800\"><\/a><\/p>\n<p><em>Figure 3. LATAM banking trojan activity in Brazil<\/em><\/p>\n<\/div>\n<\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-4.-LATAM-banking-trojan-activity-in-Mexico.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"381\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-4.-LATAM-banking-trojan-activity-in-Mexico.png\" width=\"800\"><\/a><\/p>\n<p><em>Figure 4. LATAM banking trojan activity in Mexico<\/em><\/p>\n<\/div>\n<p>Latin American banking trojans used to change rapidly. In the early days of our tracking, some of them were adding to or modifying their core features several times a month. Nowadays they still change very often, but the core seems to remain mostly untouched. Due to the partially stabilized development, we believe the operators are now focusing on improving distribution.<\/p>\n<p>The campaigns we see always come in waves and more than 90% of them are distributed through spam. One campaign usually lasts for a week at most. In Q3 and Q4 2021, we have seen Grandoreiro, Ousaban and Casbaneiro increasing their reach enormously compared to their previous activity, as illustrated in Figure 5.<\/p>\n<\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-5.-LATAM-banking-trojan-activity-worldwide.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"381\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-5.-LATAM-banking-trojan-activity-worldwide.png\" width=\"800\"><\/a><\/p>\n<p><em>Figure 5. LATAM banking trojan activity worldwide<\/em><\/p>\n<\/div>\n<h2>Impact<\/h2>\n<p>Latin American banking trojans require a lot of conditions to attack successfully:<\/p>\n<ul>\n<li>Potential victims need to follow steps required to install the malware on their machines<\/li>\n<li>Victims need to visit a targeted website and log into their accounts<\/li>\n<li>Operators need to react to this situation and manually command the malware to display the fake pop-up window and take control of the victim\u2019s machine<\/li>\n<li>Victims need to not suspect malicious activity and possibly even enter an authentication code in the case of 2FA<\/li>\n<\/ul>\n<p>That said, it is hard to estimate the impact of these banking trojans just based on telemetry. However, in June this year, we were able to get a picture when Spanish law enforcement <a href=\"https:\/\/therecord.media\/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans\/\">arrested 16 people related to Mekotio and Grandoreiro<\/a>.<\/p>\n<p>In the <a href=\"http:\/\/www.interior.gob.es\/prensa\/noticias\/-\/asset_publisher\/GHU8Ap6ztgsg\/content\/id\/13552853\">report<\/a>, police state that almost \u20ac300,000 were stolen and they were able to block the transfer of a total of \u20ac3.5 million. Correlating this arrest with Figure 2, we see that Mekotio seems to have taken a much larger hit than Grandoreiro, leading us to believe that the arrested people were more connected to Mekotio. Even though Mekotio went very quiet for almost two months after the arrest, ESET continues to see new campaigns distributing Mekotio at the time of writing.<\/p>\n<p>For reference purposes, back in 2018, <a href=\"https:\/\/www.visaooeste.com.br\/preso-no-tambore-por-desvio-de-r-400-milhoes-e-liberado-da-cadeia\/\">Brazilian police forces arrested a criminal<\/a> behind another banking trojan in what was called Operation Ostentation. They estimated that he had been able to steal approximately US$400 million from victims in Brazil.<\/p>\n<h2>Families we didn\u2019t cover<\/h2>\n<p>During the course of our series, several Latin American banking trojans became inactive. While we had planned to dedicate separate pieces to them, since they have been inactive for over a year now, we will just briefly mention them in the sections below. We also provide IoCs for them at the end of this blogpost.<\/p>\n<h3>Krachulka<\/h3>\n<p>This malware family was active in Brazil until the middle of 2019. Its most noticeable characteristic was its usage of well-known cryptographic methods to encrypt strings, as opposed to the majority of Latin American banking trojans that mainly use custom encryption schemes, some of which are shared across these families. We have observed Krachulka variants using AES, RC2, RC4, 3DES and a slightly customized variant of Salsa20.<\/p>\n<p>Krachulka, despite being written in Delphi like most other Latin American banking trojans, was distributed by a downloader written in the Go programming language \u2013 another unique characteristic among this kind of banking malware (see Figure 6).<\/p>\n<\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-6.-Krachulka-downloader-written-in-Go.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"442\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-6.-Krachulka-downloader-written-in-Go.png\" width=\"662\"><\/a><\/p>\n<p><em>Figure 6. Krachulka downloader written in Go<\/em><\/p>\n<\/div>\n<h3>Lokorrito<\/h3>\n<p>This malware family was active mainly in Mexico until the beginning of 2020. We were able to identify additional builds, each dedicated to target a different country \u2013 Brazil, Chile and Colombia.<\/p>\n<p>The most identifying feature of Lokorrito is its usage of a custom <span>User-Agent<\/span> string in network communication (see Figure 7). We have observed two values \u2013 <span>LA CONCHA DE TU MADRE<\/span> and <span>4RR0B4R 4 X0T4 D4 TU4 M4E<\/span>, both quite vulgar expressions in Spanish and Portuguese, respectively.<\/p>\n<\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-7.-Lokorrito-User-Agent.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"239\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-7.-Lokorrito-User-Agent.png\" width=\"658\"><\/a><\/p>\n<p><em>Figure 7. Lokorrito <span>User-Agent<\/span><\/em><\/p>\n<\/div>\n<p>We have identified several additional Lokorrito-related modules. First, a backdoor, which basically functions like a simplified version of the banking trojan without the support for fake overlay windows. We believe it was installed in some Lokorrito campaigns first and, only if the attacker saw fit, it was updated to the actual banking trojan. Then, a spam tool, which generates spam emails distributing Lokorrito and sending them to further potential victims. The tool generated the emails based on both hardcoded data and data obtained from a C&amp;C server. Finally, we identified a simple infostealer designed to steal the victim\u2019s Outlook address book and a password stealer intended to harvest Outlook and FileZilla credentials.<\/p>\n<h3>Zumanek<\/h3>\n<p>This malware family was active exclusively in Brazil until the middle of 2020. It was the first Latin American banking trojan malware family ESET identified. In fact, ESET analyzed one variant in 2018 <a href=\"https:\/\/www.welivesecurity.com\/br\/2018\/01\/17\/zumanek-malware-tenta-roubar-credenciais-de-servicos\/\">here<\/a> (in Portuguese).<\/p>\n<p>Zumanek is identified by its method for obfuscating strings. It creates a function for each character of the alphabet and then concatenates the result of calling the correct functions in sequence, as illustrated in Figure 8.<\/p>\n<\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-8.-Zumanek-string-obfuscation-technique.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"477\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-8.-Zumanek-string-obfuscation-technique.png\" width=\"530\"><\/a><\/p>\n<p><em>Figure 8. Zumanek string obfuscation technique<\/em><\/p>\n<\/div>\n<p>Interestingly, Zumanek never utilized any complicated payload execution methods. Its downloaders simply downloaded a ZIP archive containing only the banking trojan executable, usually named <span>drive2<\/span>. The executable was very often protected by either the VMProtect or Armadillo packer.<\/p>\n<p>We think with low confidence that <a href=\"https:\/\/www.welivesecurity.com\/2021\/05\/05\/ousaban-private-photo-collection-hidden-cabinet\/\">Ousaban<\/a> may actually be the successor of Zumanek. Even though the two malware families don\u2019t seem to share any code similarities, their remote configuration format uses very similar delimiters (see Figure 9). Additionally, we have observed several servers used by Ousaban that looked very much like those used by Zumanek in the past.<\/p>\n<\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-9.-Similarities-between-Zumanek-and-Ousaban-remote-configuration-formats.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"161\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-9.-Similarities-between-Zumanek-and-Ousaban-remote-configuration-formats.png\" width=\"800\"><\/a><\/p>\n<p><em>Figure 9. Similarities between Zumanek and Ousaban remote configuration formats<\/em><\/p>\n<\/div>\n<h2>The future<\/h2>\n<p>Since Latin American banking trojans expanded to Europe, they have been getting more attention from both researchers and police forces. In the latest months, we\u2019ve seen some of their biggest campaigns to date.<\/p>\n<p>ESET researchers also discovered <a href=\"https:\/\/www.welivesecurity.com\/2021\/04\/06\/janeleiro-time-traveler-new-old-banking-trojan-brazil\/\">Janeleiro<\/a>, a Latin American banking trojan written in .NET. Additionally, we may see some of these banking trojans expanding to the Android platform. In fact, one such banking trojan, <a href=\"https:\/\/securelist.com\/ghimob-tetrade-threat-mobile-devices\/99228\/\">Ghimob<\/a>, has already been attributed to the threat actor behind Guildma. However, since we continue to see the developers actively improving their Delphi binaries, we believe they will not just abandon their current arsenal.<\/p>\n<p>Even though many Latin American banking trojans are somewhat cumbersome and overcomplicated in their implementation, they represent a different approach to attacking victims\u2019 bank accounts. Opposed to the most notorious banking trojans of the recent past, they don\u2019t inject the web browser, nor do they need to find ways to webinject a certain banking website. Instead, they design a pop-up window \u2013 likely a much faster and easier process. The threat actors already have templates at their disposal that they easily modify for different financial institutions (see Figure 10). That is their main advantage.<\/p>\n<\/p>\n<div><a  href=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-10.-Fake-overlay-window-templates.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"518\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2021\/12\/Figure-10.-Fake-overlay-window-templates.png\" width=\"800\"><\/a><\/p>\n<p><em>Figure 10. Fake overlay window templates<\/em><\/p>\n<\/div>\n<p>The main disadvantage is that there is very little to no automation in the attack process \u2013 without active participation of the attacker, the banking trojan will do almost no harm. Whether some new kind of malware will try to automate this approach remains a question for the future.<\/p>\n<h2>Conclusion<\/h2>\n<p>In our series, we have presented the most active Latin American banking trojans of the past few years. We have identified a dozen different malware families, most of which remain active at the time of this writing. We have identified their unique features as well as their many commonalities.<\/p>\n<p>The most significant discovery during the course of our series is likely the expansion of Mekotio and Grandoreiro to Europe. Besides Spain, we\u2019ve observed occasional small campaigns targeting Italy, France and Belgium. We believe these banking trojans will continue to test new territories for future expansion.<\/p>\n<p>Our telemetry shows a surprisingly large increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent months, leading us to conclude the threat actors behind these malware families are determined to continue their nefarious actions against users in targeted countries. ESET will continue to track these banking trojans and keep users safe from these threats.<\/p>\n<p><em>For any inquiries, contact us as threatintel@eset.com. Indicators of Compromise for all the mentioned malware families can also be found on <\/em><a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/\"><em>our GitHub repository<\/em><\/a><em>.<\/em><\/p>\n<h2>Indicators of Compromise (IoCs)<\/h2>\n<h3>Hashes<\/h3>\n<h4><strong>Krachulka<\/strong><\/h4>\n<\/p>\n<table>\n<thead>\n<tr>\n<th>SHA-1<\/th>\n<th>Description<\/th>\n<th>ESET detection name<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span>83BCD611F0FD4D7D06C709BC5E26EB7D4CDF8D01<\/span><\/td>\n<td>Krachulka banking trojan<\/td>\n<td>Win32\/Spy.Krachulka.C<\/td>\n<\/tr>\n<tr>\n<td><span>FFE131ADD40628B5CF82EC4655518D47D2AB7A28<\/span><\/td>\n<td>Krachulka banking trojan<\/td>\n<td>Win32\/Spy.Krachulka.C<\/td>\n<\/tr>\n<tr>\n<td><span>4484CE3014627F8E2BB7129632D5A011CF0E9A2A<\/span><\/td>\n<td>Krachulka banking trojan<\/td>\n<td>Win32\/Spy.Krachulka.A<\/td>\n<\/tr>\n<tr>\n<td><span>20116A5F01439F669FD4BF77AFEB7EFE6B2175F3<\/span><\/td>\n<td>Krachulka Go downloader<\/td>\n<td>Win32\/TrojanDownloader.Banload.YJA<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><strong>Lokorrito<\/strong><\/h4>\n<\/p>\n<table>\n<thead>\n<tr>\n<th>SHA-1<\/th>\n<th>Description<\/th>\n<th>ESET detection name<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span>4249AA03E0F5142821DB2F1A769F3FE3DB63BE54<\/span><\/td>\n<td>Lokorrito banking trojan<\/td>\n<td>Win32\/Spy.Lokorrito.L<\/td>\n<\/tr>\n<tr>\n<td><span>D30F968741D4023CD8DAF716C78510C99A532627<\/span><\/td>\n<td>Lokorrito banking trojan<\/td>\n<td>Win32\/Spy.Lokorrito.A<\/td>\n<\/tr>\n<tr>\n<td><span>6837d826fbff3d81b0def4282d306df2ef59e14a<\/span><\/td>\n<td>Lokorrito banking trojan<\/td>\n<td>Win32\/Spy.Lokorrito.L<\/td>\n<\/tr>\n<tr>\n<td><span>2F8F70220A9ABDCAA0868D274448A9A5819A3EBC<\/span><\/td>\n<td>Lokorrito backdoor module<\/td>\n<td>Win32\/Spy.Lokorrito.S<\/td>\n<\/tr>\n<tr>\n<td><span>0066035B7191ABB4DEEF99928C5ED4E232428A0D<\/span><\/td>\n<td>Lokorrito backdoor module<\/td>\n<td>Win32\/Spy.Lokorrito.R<\/td>\n<\/tr>\n<tr>\n<td><span>B29BB5DB1237A3D74F9E88FE228BE5A463E2DFA4<\/span><\/td>\n<td>Lokorrito backdoor module<\/td>\n<td>Win32\/Spy.Lokorrito.M<\/td>\n<\/tr>\n<tr>\n<td><span>119DC4233DF7B6A44DEC964A084F447553FACA46<\/span><\/td>\n<td>Spam tool<\/td>\n<td>Win32\/SpamTool.Agent.NGO<\/td>\n<\/tr>\n<tr>\n<td><span>16C877179ADC8D5BFD516B5C42BF9D0809BD0BAE<\/span><\/td>\n<td>Password stealer<\/td>\n<td>Win32\/Spy.Banker.ADVQ<\/td>\n<\/tr>\n<tr>\n<td><span>072932392CC0C2913840F494380EA21A8257262C<\/span><\/td>\n<td>Outlook infostealer<\/td>\n<td>Win32\/Spy.Agent.PSN<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><strong>Zumanek<\/strong><\/h4>\n<\/p>\n<table>\n<thead>\n<tr>\n<th>SHA-1<\/th>\n<th>Description<\/th>\n<th>ESET detection name<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><span>69FD64C9E8638E463294D42B7C0EFE249D29C27E<\/span><\/td>\n<td>Zumanek banking trojan<\/td>\n<td>Win32\/Spy.Zumanek.DO<\/td>\n<\/tr>\n<tr>\n<td><span>59C955C227B83413B4BDF01F7D4090D249408DF2<\/span><\/td>\n<td>Zumanek banking trojan<\/td>\n<td>Win32\/Spy.Zumanek.DK<\/td>\n<\/tr>\n<tr>\n<td><span>4E49D878B13E475286C59917CC63DB1FA3341C78<\/span><\/td>\n<td>Zumanek banking trojan<\/td>\n<td>Win32\/Spy.Zumanek.DK<\/td>\n<\/tr>\n<tr>\n<td><span>2850B7A4E6695B89B81F1F891A48A3D34EF18636<\/span><\/td>\n<td>Zumanek downloader (MSI)<\/td>\n<td>Win32\/Spy.Zumanek.DN<\/td>\n<\/tr>\n<tr>\n<td><span>C936C3A661503BD9813CB48AD725A99173626AAE<\/span><\/td>\n<td>Zumanek downloader (MSI)<\/td>\n<td>Win32\/Spy.Zumanek.DM<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>We have created a MITRE ATT&amp;CK table showing a comparison of the techniques used by the Latin American banking trojans featured in this series. It was released as part of our white paper dedicated to examining the many similarities between these banking trojans and can be found <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/2020\/09\/ESET_LATAM_financial_cybercrime.pdf#ESET_LATAM_financial_cybercrime_WP.indd%3A.69659%3A839\">here<\/a>.<\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/2021\/12\/15\/dirty-dozen-latin-america-amavaldo-zumanek\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The grand finale of our series dedicated to demystifying Latin American banking trojans<\/p>\n","protected":false},"author":5,"featured_media":8270,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2878],"tags":[],"class_list":["post-8269","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eset-research"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8269"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8269\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8270"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}