Numando – A Trojan Abuses YouTube & Pastebin to Spread  & Hack Windows Users

A Latin American banking Trojan named Numando has been detected recently by the ESET researchers, and it’s targetting Brazil, some areas of Mexico, and Spain.

Numando banking trojan is comparable to the other malware families that are being described in the series of Latin American Trojan.

This trojan generally uses the miscreant browser overlays, backdoor functionality, and management of public services such as YouTube to collect its remote settings. 

However, unlike different Latin American banking Trojans, Numando reveals no signs of continued improvement. The most important point is that Numando is not as active as additional Trojans like Mekotio or Grandoreiro.


On completion of the investigation, the security analysts noted that Numando is written in Delphi and uses fake overlay windows, with the motive to camouflage sensitive data out of its victims. 

Apart from all these, in this trojan, the backdoor capabilities enable Numando to copy the actions of the mouse and keyboard and then restart and shutdown the machine, display overlay windows, so that it can take a screenshot and kill browser methods.

More importantly, in the Numando the commands are quite defined as numbers rather than strings, and this helped the experts to give the name of the trojan.

Delivery and execution

Numando is distributed completely by spam, but, this campaign has affected numerous hundred victims, and that’s why it makes it considerably less prosperous than other strong widespread LATAM banking trojans for example Mekotio and Grandoreiro.

While the recent campaigns have added a ZIP attachment that is including an MSI installer in every spammed message. And here the remarkable point is that the installer includes an archive with a legitimate application, an injector, and an encrypted Numando banking trojan DLL.

Bait ZIP & BMP overlay

The chain in Numando starts with a Delphi downloader downloading a decoy ZIP archive. However, here the downloader overlooks the archive’s contents and extricates a hex-encoded encrypted string of the ZIP file comment.

But there is an optional ZIP file element that has been collected at the end of the file. Moreover, there is a second ZIP archive that contains a legitimate application.

The second ZIP has an injector and it also has a problematically large BMP image. In that case, the downloader extricates the contents of this archive and later it determines the legitimate application.

Remote configuration

So, just like many other Latin American banking trojans, Numando also violates the public services with the motive to collect its remote configuration such as YouTube and Pastebin.

That’s why the whole format of this Trojan is not that difficult, as it has three entries delimited by “:” between the DATA:{ and } markers. And each and every entry is being encrypted individually, and it also has keys that was being hardcoded in the binary.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.