ESET Research discovers close cooperation among Latin American financial cybercriminals

Next story

BRATISLAVA, PRAGUE – ESET researchers have today published a white paper detailing their findings on the interconnected nature of Latin American banking trojan families. Even though Latin American banking trojans can be looked upon as one homogeneous group of malware, ESET reports that multiple distinct malware families can be recognized. At the same time, ESET researchers have discovered a surprising number of indicators of close cooperation among Latin American banking trojan authors. Despite the term “Latin American,”  some of the trojans have been targeting Spain and Portugal since late last year. The white paper was first published during the VB2020 localhost conference.

“Over the past year, we have been publishing an ongoing blog post series about Latin American banking trojan families. These blog posts mainly focus on the most important and interesting aspects of these families,” says Jakub Souček, one of the researchers working on Latin American financial cybercrime. “At the VB conference, we looked at these families from a high-level perspective. Rather than examining details of each family and highlighting their unique characteristics, we focused on what they have in common.”  

The first similarities ESET spotted were in the actual implementation of these banking trojans. The most obvious are the practically identical implementations of the banking trojans’ core functionalities and attack techniques via fake pop-up windows carefully designed to lure victims into providing sensitive information. Besides that, these malware families share third-party libraries, generally unknown string encryption algorithms, and both string and binary obfuscation techniques.

Other similarities can be observed in malware distribution. The trojans usually check for a marker used to indicate that the machine has already been compromised and download data in ZIP archives. ESET also observed identical distribution chains distributing several different payloads and shared execution methods.

“Additionally, different families use similar spam email templates in their latest campaigns, almost as if this was a coordinated move,” says Souček. “Since we don’t believe it to be possible that independent malware authors would come up with so many common ideas – and, moreover, since we don’t believe one group to be responsible for maintaining all these malware families – we must conclude that these are multiple threat actors closely cooperating with each other.”  

For more technical details about this spyware, read the white paper “LATAM financial cybercrime: Competitors in crime sharing TTPs” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.  

About ESET 
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit or follow us on  LinkedIn, Facebook , and Twitter.