Collaboration between various malware creators is a well-known phenomena. However, recent research by ESET researchers has revealed a massive act of coordination between a large number of banking malware families across Latin America, which could be the largest ever seen in history.
What has been discovered?
ESET researchers found 11 banking trojan families that have been sharing their skills and resources on malware capabilities, distribution channels, and target areas.
The malware families including Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist, and Zumanek have been observed using the same encryption algorithms, and similar domain generation algorithms to connect to C2 servers.
They use the same core functionalities or modules, such as operator notifications, regular scan for active windows, and similar pop-up windows for fake banking applications.
Moreover, they were observed using the same uncommon third-party libraries, encryption algorithms, and obfuscation techniques.
Additional similarities
Besides sharing the same development infrastructure, they shared the same TTPs.
Several of the malware families have been using Windows Installer (MSI files) as the first stage of the distribution chain.
Their execution methods include DLL side-loading (targeting the same set of software) and a legitimate AutoIt interpreter.
A similar distribution flow, using similar email templates is another common attribute among these malware families.
Additionally, several of the trojans started targeting Spain and Portugal in their recent attacks.
Recent incidents
Several malware collaborators have been observed joining forces and sharing their skills and resources to carry out their attack campaigns.
In August, the Maze Cartel was joined by two new malware, Conti and SunCrypt. However, the Maze group later cartel latin american banking trojans largest malware collaboration
