This Cartel of Latin American Banking Trojans may be the Largest Malware Collaboration Ever

Collaboration between various malware creators is a well-known phenomena. However, recent research by ESET researchers has revealed a massive act of coordination between a large number of banking malware families across Latin America, which could be the largest ever seen in history.

What has been discovered?

ESET researchers found 11 banking trojan families that have been sharing their skills and resources on malware capabilities, distribution channels, and target areas.
  • The malware families including Amavaldo, Casbaneiro, Grandoreiro, Guildma, Krachulka, Lokorrito, Mekotio, Mispadu, Numando, Vadokrist, and Zumanek have been observed using the same encryption algorithms, and similar domain generation algorithms to connect to C2 servers.
  • They use the same core functionalities or modules, such as operator notifications, regular scan for active windows, and similar pop-up windows for fake banking applications.
  • Moreover, they were observed using the same uncommon third-party libraries, encryption algorithms, and obfuscation techniques.

Additional similarities

Besides sharing the same development infrastructure, they shared the same TTPs.
  • Several of the malware families have been using Windows Installer (MSI files) as the first stage of the distribution chain.
  • Their execution methods include DLL side-loading (targeting the same set of software) and a legitimate AutoIt interpreter. 
  • A similar distribution flow, using similar email templates is another common attribute among these malware families.
  • Additionally, several of the trojans started targeting Spain and Portugal in their recent attacks.

Recent incidents

Several malware collaborators have been observed joining forces and sharing their skills and resources to carry out their attack campaigns. 
  • In August, the Maze Cartel was joined by two new malware, Conti and SunCrypt. However, the Maze group later denied the claim stating no affiliation with SunCrypt. The existing members already include LockBit and Ragnar Locker. 
  • In the same month, five different Chinese APTs, suspected to be the components of the Winnti Group, were observed using the same shared resource (a Linux spyware toolset).

Ending notes

Such a massive level of coordination among threat actors is certainly a sign of further development and maturity of cybercrime operations. To stay protected against such unified threats, experts recommend adopting a proactive security strategy to combat such cyberattacks, rather than running your defense strategy in a fire-fighting mode.