The dirty dozen of Latin America: From Amavaldo to Zumanek

The grand finale of our sequence devoted to demystifying Latin American banking trojans

ESET began this blogpost sequence devoted to demystifying Latin American banking trojans in August 2019. Since then, now we have coated probably the most lively ones, specifically Amavaldo, Casbaneiro, Mispadu, Guildma, Grandoreiro, Mekotio, Vadokrist, Ousaban and Numando. Latin American banking trojans share loads of frequent traits and habits – a subject ESET has devoted a white paper to. Due to this fact, within the sequence, now we have targeted on the distinctive options of every malware household to assist distinguish one from the opposite.

Key takeaways

  • Latin American banking trojans are an ongoing, evolving risk
  • They aim primarily Brazil, Spain, and Mexico
  • There are a minimum of eight totally different malware households nonetheless lively on the time of this writing
  • Three households went dormant throughout the course of this sequence so didn’t get their very own blogpost, however we briefly describe their essential options right here
  • The overwhelming majority are distributed by way of spam, often resulting in a ZIP archive or an MSI installer

Present state

Moreover Amavaldo, which grew to become dormant round November 2020, all the opposite households stay lively to at the present time. Brazil remains to be probably the most focused nation, adopted by Spain and Mexico (see Determine 1). Since 2020, Grandoreiro and Mekotio expanded to Europe – primarily Spain. What began as a number of minor campaigns, more likely to take a look at the brand new territory, advanced into one thing a lot grander. In truth, in August and September 2021, Grandoreiro launched its largest marketing campaign up to now and it focused Spain (see Determine 2).

Determine 1. High three nations most affected by Latin American banking trojans

Determine 2. LATAM banking trojan exercise in Spain

Whereas Grandoreiro stays dominant in Spain, Ousaban and Casbaneiro dominated Brazil within the newest months, as illustrated by Determine 3. Mispadu appears to have shifted its focus virtually completely to Mexico, often accompanied by Casbaneiro and Grandoreiro, as seen in Determine 4.

Determine 3. LATAM banking trojan exercise in Brazil

Determine 4. LATAM banking trojan exercise in Mexico

Latin American banking trojans used to alter quickly. Within the early days of our monitoring, a few of them had been including to or modifying their core options a number of occasions a month. These days they nonetheless change fairly often, however the core appears to stay largely untouched. As a result of partially stabilized growth, we consider the operators at the moment are specializing in bettering distribution.

The campaigns we see all the time are available waves and greater than 90% of them are distributed by way of spam. One marketing campaign often lasts for every week at most. In Q3 and This autumn 2021, now we have seen Grandoreiro, Ousaban and Casbaneiro growing their attain enormously in comparison with their earlier exercise, as illustrated in Determine 5.

Determine 5. LATAM banking trojan exercise worldwide


Latin American banking trojans require loads of situations to assault efficiently:

  • Potential victims have to comply with steps required to put in the malware on their machines
  • Victims want to go to a focused web site and log into their accounts
  • Operators have to react to this example and manually command the malware to show the faux pop-up window and take management of the sufferer’s machine
  • Victims have to not suspect malicious exercise and presumably even enter an authentication code within the case of 2FA

That stated, it’s onerous to estimate the influence of those banking trojans simply based mostly on telemetry. Nevertheless, in June this yr, we had been capable of get an image when Spanish regulation enforcement arrested 16 people related to Mekotio and Grandoreiro.

Within the report, police state that just about €300,000 had been stolen they usually had been capable of block the switch of a complete of €3.5 million. Correlating this arrest with Determine 2, we see that Mekotio appears to have taken a a lot bigger hit than Grandoreiro, main us to consider that the arrested folks had been extra linked to Mekotio. Although Mekotio went very quiet for nearly two months after the arrest, ESET continues to see new campaigns distributing Mekotio on the time of writing.

For reference functions, again in 2018, Brazilian police forces arrested a criminal behind one other banking trojan in what was known as Operation Ostentation. They estimated that he had been capable of steal roughly US$400 million from victims in Brazil.

Households we didn’t cowl

Throughout the course of our sequence, a number of Latin American banking trojans grew to become inactive. Whereas we had deliberate to dedicate separate items to them, since they’ve been inactive for over a yr now, we are going to simply briefly point out them within the sections beneath. We additionally present IoCs for them on the finish of this blogpost.


This malware household was lively in Brazil till the center of 2019. Its most noticeable attribute was its utilization of well-known cryptographic strategies to encrypt strings, versus nearly all of Latin American banking trojans that primarily use customized encryption schemes, a few of that are shared throughout these households. We have now noticed Krachulka variants utilizing AES, RC2, RC4, 3DES and a barely personalized variant of Salsa20.

Krachulka, regardless of being written in Delphi like most different Latin American banking trojans, was distributed by a downloader written within the Go programming language – one other distinctive attribute amongst this type of banking malware (see Determine 6).

Determine 6. Krachulka downloader written in Go


This malware household was lively primarily in Mexico till the start of 2020. We had been capable of determine extra builds, every devoted to focus on a distinct nation – Brazil, Chile and Colombia.

Probably the most figuring out function of Lokorrito is its utilization of a customized Consumer-Agent string in community communication (see Determine 7). We have now noticed two values – LA CONCHA DE TU MADRE and 4RR0B4R 4 X0T4 D4 TU4 M4E, each fairly vulgar expressions in Spanish and Portuguese, respectively.

Determine 7. Lokorrito Consumer-Agent

We have now recognized a number of extra Lokorrito-related modules. First, a backdoor, which principally capabilities like a simplified model of the banking trojan with out the assist for faux overlay home windows. We consider it was put in in some Lokorrito campaigns first and, provided that the attacker noticed match, it was up to date to the precise banking trojan. Then, a spam device, which generates spam emails distributing Lokorrito and sending them to additional potential victims. The device generated the emails based mostly on each hardcoded information and information obtained from a C&C server. Lastly, we recognized a easy infostealer designed to steal the sufferer’s Outlook handle ebook and a password stealer meant to reap Outlook and FileZilla credentials.


This malware household was lively completely in Brazil till the center of 2020. It was the primary Latin American banking trojan malware household ESET recognized. In truth, ESET analyzed one variant in 2018 here (in Portuguese).

Zumanek is recognized by its technique for obfuscating strings. It creates a operate for every character of the alphabet after which concatenates the results of calling the right capabilities in sequence, as illustrated in Determine 8.

Determine 8. Zumanek string obfuscation approach

Curiously, Zumanek by no means utilized any difficult payload execution strategies. Its downloaders merely downloaded a ZIP archive containing solely the banking trojan executable, often named drive2. The executable was fairly often protected by both the VMProtect or Armadillo packer.

We predict with low confidence that Ousaban may very well be the successor of Zumanek. Although the 2 malware households don’t appear to share any code similarities, their distant configuration format makes use of very related delimiters (see Determine 9). Moreover, now we have noticed a number of servers utilized by Ousaban that appeared very very similar to these utilized by Zumanek up to now.

Determine 9. Similarities between Zumanek and Ousaban distant configuration codecs

The long run

Since Latin American banking trojans expanded to Europe, they’ve been getting extra consideration from each researchers and police forces. Within the newest months, we’ve seen a few of their largest campaigns to this point.

ESET researchers additionally found Janeleiro, a Latin American banking trojan written in .NET. Moreover, we might even see a few of these banking trojans increasing to the Android platform. In truth, one such banking trojan, Ghimob, has already been attributed to the risk actor behind Guildma. Nevertheless, since we proceed to see the builders actively bettering their Delphi binaries, we consider they won’t simply abandon their present arsenal.

Although many Latin American banking trojans are considerably cumbersome and overcomplicated of their implementation, they symbolize a distinct strategy to attacking victims’ financial institution accounts. Against probably the most infamous banking trojans of the latest previous, they don’t inject the net browser, nor do they should discover methods to webinject a sure banking web site. As a substitute, they design a pop-up window – probably a a lot sooner and simpler course of. The risk actors have already got templates at their disposal that they simply modify for various monetary establishments (see Determine 10). That’s their essential benefit.

Determine 10. Pretend overlay window templates

The primary drawback is that there’s little or no to no automation within the assault course of – with out lively participation of the attacker, the banking trojan will do virtually no hurt. Whether or not some new type of malware will attempt to automate this strategy stays a query for the longer term.


In our sequence, now we have offered probably the most lively Latin American banking trojans of the previous few years. We have now recognized a dozen totally different malware households, most of which stay lively on the time of this writing. We have now recognized their distinctive options in addition to their many commonalities.

Probably the most important discovery throughout the course of our sequence is probably going the enlargement of Mekotio and Grandoreiro to Europe. Moreover Spain, we’ve noticed occasional small campaigns concentrating on Italy, France and Belgium. We consider these banking trojans will proceed to check new territories for future enlargement.

Our telemetry exhibits a surprisingly massive improve within the attain of Ousaban, Grandoreiro and Casbaneiro in latest months, main us to conclude the risk actors behind these malware households are decided to proceed their nefarious actions towards customers in focused nations. ESET will proceed to trace these banking trojans and preserve customers secure from these threats.

For any inquiries, contact us as [email protected] Indicators of Compromise for all of the talked about malware households can be discovered on our GitHub repository.

Indicators of Compromise (IoCs)



SHA-1 Description ESET detection title
83BCD611F0FD4D7D06C709BC5E26EB7D4CDF8D01 Krachulka banking trojan Win32/Spy.Krachulka.C
FFE131ADD40628B5CF82EC4655518D47D2AB7A28 Krachulka banking trojan Win32/Spy.Krachulka.C
4484CE3014627F8E2BB7129632D5A011CF0E9A2A Krachulka banking trojan Win32/Spy.Krachulka.A
20116A5F01439F669FD4BF77AFEB7EFE6B2175F3 Krachulka Go downloader Win32/TrojanDownloader.Banload.YJA


SHA-1 Description ESET detection title
4249AA03E0F5142821DB2F1A769F3FE3DB63BE54 Lokorrito banking trojan Win32/Spy.Lokorrito.L
D30F968741D4023CD8DAF716C78510C99A532627 Lokorrito banking trojan Win32/Spy.Lokorrito.A
6837d826fbff3d81b0def4282d306df2ef59e14a Lokorrito banking trojan Win32/Spy.Lokorrito.L
2F8F70220A9ABDCAA0868D274448A9A5819A3EBC Lokorrito backdoor module Win32/Spy.Lokorrito.S
0066035B7191ABB4DEEF99928C5ED4E232428A0D Lokorrito backdoor module Win32/Spy.Lokorrito.R
B29BB5DB1237A3D74F9E88FE228BE5A463E2DFA4 Lokorrito backdoor module Win32/Spy.Lokorrito.M
119DC4233DF7B6A44DEC964A084F447553FACA46 Spam device Win32/SpamTool.Agent.NGO
16C877179ADC8D5BFD516B5C42BF9D0809BD0BAE Password stealer Win32/Spy.Banker.ADVQ
072932392CC0C2913840F494380EA21A8257262C Outlook infostealer Win32/Spy.Agent.PSN


SHA-1 Description ESET detection title
69FD64C9E8638E463294D42B7C0EFE249D29C27E Zumanek banking trojan Win32/Spy.Zumanek.DO
59C955C227B83413B4BDF01F7D4090D249408DF2 Zumanek banking trojan Win32/Spy.Zumanek.DK
4E49D878B13E475286C59917CC63DB1FA3341C78 Zumanek banking trojan Win32/Spy.Zumanek.DK
2850B7A4E6695B89B81F1F891A48A3D34EF18636 Zumanek downloader (MSI) Win32/Spy.Zumanek.DN
C936C3A661503BD9813CB48AD725A99173626AAE Zumanek downloader (MSI) Win32/Spy.Zumanek.DM

MITRE ATT&CK strategies

We have now created a MITRE ATT&CK desk exhibiting a comparability of the strategies utilized by the Latin American banking trojans featured on this sequence. It was launched as a part of our white paper devoted to inspecting the various similarities between these banking trojans and may be discovered here.


Leave a Reply

Your email address will not be published.