The first in an occasional series demystifying Latin American banking trojans
At the end of 2017, a group of researchers from ESET’s Prague malware lab decided to take a deeper look at the infamous Delphi-written banking trojans that are known to target Brazil. We extended our focus to other parts of Latin America (such as Mexico and Chile) soon after as we noticed many of these banking trojans target those countries as well. Our main goal was to discover whether there is a way to classify these banking trojans and to learn more about their behavior in general.
We have learnt a lot – we have identified more than 10 new malware families, studied the distribution chains and linked them to the new families accordingly, and dissected the internal behavior of the banking trojans. In this initial blog post, we will start by describing this type of banking trojan in general and then move to the first newly identified malware family we’ll discuss – Amavaldo.
Before moving further, let’s define the characteristics of this type of banking trojan:
It is written in the Delphi programming language
It contains backdoor functionality
It uses long distribution chains
It may divide its functionality into multiple components
It usually abuses legitimate tools and software
It targets Spanish- or Portuguese-speaking countries
We have encountered other common characteristics during our research. Most Latin American banking trojans we have analyzed connect to the C&C server and stay connected, waiting for whatever commands the server sends. After receiving a command, they execute it and wait for the next one. The commands are probably pushed manually by the attacker. You can think of this approach as a chat room where all the members react to what the admin writes.
The C&C ..
Support the originator by clicking the read the rest link below.
