ESET Research: Latin American banking trojans spread to Europe at the height of activity

Next story
  • Latin American banking trojans are an ongoing, evolving threat and ESET has recently seen some of their biggest campaigns to date.
  • They target mainly Brazil, Spain, and Mexico.
  • Mekotio and Grandoreiro expanded to Europe, mainly targeting Spain but also Italy, France and Belgium.
  • There are at least eight different malware families still active.
  • In June this year, Spanish law enforcement arrested 16 people in relation to Mekotio and Grandoreiro.
  • The vast majority (90%) are distributed via spam.

BRATISLAVA, PRAGUE – ESET Research is today concluding its blogpost series dedicated to demystifying Latin American banking trojans started in August 2019. Since then, it has covered the most active ones, namely Amavaldo, Casbaneiro, Mispadu, Guildma, Grandoreiro, Mekotio, Vadokrist, Ousaban and Numando. Latin American banking trojans share a lot of common characteristics and behaviour. Altogether, ESET has identified a dozen different malware families, most of which remain active to this day. The most significant discovery during the course of this investigation is the expansion of Mekotio and Grandoreiro to Europe, mainly Spain. ESET researchers have also observed occasional small campaigns targeting Italy, France and Belgium. Since Latin American banking trojans expanded to Europe, they have been getting more attention from both researchers and police forces. In the last few months, ESET has seen some of their biggest campaigns to date.

ESET telemetry shows a surprisingly large increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent months, leading to the conclusion that the threat actors behind these malware families are determined to continue their nefarious actions against users in targeted countries.

The campaigns we see always come in waves and more than 90% of them are distributed through spam, usually leading to a ZIP archive or an MSI installer. One campaign usually lasts for a week at most.

“Brazil is still the most targeted country, followed by Spain and Mexico. Since 2020, Grandoreiro and Mekotio expanded to Europe – mainly Spain. What started as several minor campaigns, likely to test the new territory, evolved into something much bigger. In fact, in August and September 2021, Grandoreiro launched its largest campaign so far and it targeted Spain,” says ESET researcher Jakub Souček, who leads the investigation into Latin American banking trojans.

In June this year, Spanish law enforcement arrested 16 people related to Mekotio and Grandoreiro. In the report, police state that almost €300,000 were stolen and they were able to block the transfer of a total of €3.5 million. Correlating this arrest with Latin American banking trojan activity in Spain, Mekotio seems to have taken a much larger hit than Grandoreiro, leading ESET to believe that the people arrested were more connected to Mekotio. Even though Mekotio went very quiet for almost two months after the arrest, ESET continues to see new campaigns distributing Mekotio.

Latin American banking trojans used to change rapidly. In the early days of ESET’s tracking, some of them were adding to or modifying their core features even several times a month. Nowadays they still change very often, but the core seems to remain mostly untouched. Due to the partially stabilised development, we believe the operators are now focusing on improving distribution.

“Latin American banking trojans require a lot of conditions to attack successfully,” explains Souček. “Potential victims need to follow steps required to install the malware on their machines; they need to visit a targeted website and log into their accounts. On the other side, operators need to react to this situation by manually commanding the malware to display the fake pop-up window and take control of the victim’s machine.”

During the course of this research series, several Latin American banking trojans became inactive, namely Krachulka, Lokorrito and Zumanek. ESET researchers also discovered Janeleiro, a new Latin American banking trojan. In the future, ESET expects we may see some of these banking trojans expanding to the Android platform.

For more technical details about these Latin American banking trojans, read the blogpost “The dirty dozen of Latin America: From Amavaldo to Zumanek” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.



Top three countries most affected by Latin American banking trojans


Latin American banking trojan activity worldwide


About ESET 
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multi-factor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defences in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centres worldwide, working in support of our shared future. For more information, visit our website or follow us on LinkedInFacebook, and Twitter.