New Virtual Danger: Trojan Banking Virus Known as Numando Abuses YouTube for Remote Configuration


The new type of banking trojan known as Numando is able to access all the identity information of its targeted victims. The virus uses public platforms to spread.

ESET researchers to spread YouTube, Pastebin and other public platforms Abusing as a C2 infrastructure, Numando known as a new banking trojan virus Has detected.

The threat behind this virus has been active since at least 2018 and focuses almost exclusively on Brazil; however, experts point out that there are rare attacks against users in Mexico and Spain. As with other Latin American banking trojans, this new strain DelphiIt is based on the principle of deceiving victims through fake windows to obtain sensitive information written in .

Virus targets victims’ credentials


In the analysis published by ESET, “Some Numando variants store these images in an encrypted ZIP archive in .rsrc partitions, while others use a separate Delphi DLL specific to this storage only. Back output capabilities allow Numando to simulate mouse and keyboard actions, reboot the machine, and terminate browser processing. ” and “But unlike other Latin American banking trojans, commands are defined as numbers rather than strings, which is also what inspired us to name this malware family. “he stated.

Unlike other Latin American banking trojans that experts have analyzed, Numando is in development. not he noticed.

almost only malicious spam campaigns Distributed by Numando, in their latest attack MSI with a loader ZIP used messages using the attachment. Loader; it contains a CAB archive containing a legitimate application, an injector, and an encrypted Numando banking trojan DLL. By running MSI, the injector that decrypts the code by loading the legal application and payload is also activated. Once installed on the target device, Numando captures credentials every time the victim visits a financial institution’s site. fake windows causes it to occur.

Utilizing public services


In addition, experts speculate that it’s another tool used in recent attacks, which started when a Deplhi downloader downloaded a decoy ZIP archive. distribution chain also revealed. The downloader ignores the contents of the ZIP archive and extracts an encoded 16 string from the ZIP file comment at the end of the file, and decrypting this string also means the actual a different URL to the payload archive results in.

In the report, “The second ZIP archive contains a legitimate application, an injector, and a suspiciously large BMP image. When the downloader extracts the contents of this archive and runs the legitimate application that installs the injector, the Numando banking trojan also comes out in the BMP overlay and starts working. ” and “Since this BMP file is a valid image and the overlay is simply ignored, it can be opened by most viewers and editors without any problems, “The expressions are also mentioned.

Numando, Casbaneiro It leverages public services like Pastebin and YouTube for remote configuration, a technique used by other malware like


6 Websites to Scan Files for Viruses Online

Numando also controls mouse clicks and keyboard actions. to simulate It can hijack PC shutdown and restart functions, take screenshots, and terminate browser processes.

Source :

Leave a Comment