A new banking trojan, Numando, was spotted exploiting public platforms, such as YouTube and Pastebin, to propagate as it adds more victims systems. The trojan, written in the Delphi language, is believed to be active since 2018.

What has happened?

According to researchers, Numando is a financial malware that created an overlay effect to trick victims in Mexico and Spain.
  • After being installed on the target machine, it triggers fake overlay windows to collect sensitive information and financial credentials from the victims.
  • The malware abuses Pastebin and YouTube services to manage its remote configuration settings in a very simple format, where three entries are added by ":" as a separator between the DATA:{ and } markers.
  • Each entry is separately encrypted with the key hardcoded in the binary that makes it harder to decrypt the configuration.
  • It can simulate mouse clicks, keyboard actions, hijack PC’s shutdown/restart functions, kill browser processes, and take screenshots. The malware shows no sign of continuous development.

Operational insights

  • In recent campaigns, phishing messages and ZIP attachments were being sent to users in which a decoy ZIP file is downloaded alongside an actual ZIP file. 
  • This file has a CAB archive with a valid software app, an injector, and the trojan. The trojan is stored inside a large BMP image file.
  • The injector is side-loaded after the software app is executed. The trojan is then decrypted using an XOR algorithm and key.
  • The attacks are not that sophisticated, limiting the trojan’s success in comparison to its contemporaries, such as Mekotio and Grandoreiro.


Numando is mostly targeting Brazil with few campaigns aimed at Mexico and Spain. The infection rate is low at the moment, however, that could change quickly in the upcoming days with new attack tactics. Therefore, banking customers are suggested to follow all the recommended security best practices to stay protected.

Cyware Publisher