ESET Research Discovers Close Cooperation Among Latin American Financial Cybercriminals

Next story

BRATISLAVA, PRAGUE – ESET researchers have today published a white paper detailing their findings on the interconnected nature of Latin American banking trojan families. Even though Latin American banking trojans can be looked upon as one homogenous group of malware, ESET reports that multiple distinct malware families can be recognised. At the same time, ESET researchers have discovered a surprising number of indicators of close cooperation among Latin American banking trojan authors. Despite the term “Latin American,” some of the trojans have been targeting Spain and Portugal since late last year. The white paper was first published during the VB2020 localhost conference.

“Over the past year, we have been publishing an ongoing blog post series about Latin American banking trojan families. These blog posts mainly focus on the most important and interesting aspects of these families,” says Jakub Souček, one of the researchers working on Latin American financial cybercrime. “At the VB conference, we looked at these families from a high-level perspective. Rather than examining details of each family and highlighting their unique characteristics, we focussed on what they have in common.”

The first similarities ESET spotted were in the actual implementation of these banking trojans. The most obvious are the practically identical implementations of the banking trojans’ core functionalities and attack techniques via fake pop-up windows, carefully designed to lure victims into providing sensitive information. Besides that, these malware families share third-party libraries, generally unknown string encryption algorithms, and both string and binary obfuscation techniques.

Other similarities can be observed in malware distribution. The trojans usually check for a marker used to indicate that the machine has already been compromised and download data in ZIP archives. ESET also observed identical distribution chains distributing several different payloads and shared execution methods.

“Additionally, different families use similar spam email templates in their latest campaigns, almost as if this was a coordinated move,” says Souček. “Since we don’t believe it to be possible that independent malware authors would come up with so many common ideas – and, moreover, since we don’t believe one group to be responsible for maintaining all these malware families – we must conclude that these are multiple threat actors closely cooperating with each other.”

For more technical details about this spyware, read the white paper “LATAM Financial Cybercrime: Competitors in Crime Sharing TTPs” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.


About ESET 
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defences in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centres worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit our website or follow us on LinkedIn, Facebook and Twitter.