LATAM financial cybercrime: competitors in crime sharing TTPs

Jakub Souček (ESET) & Martin Jirkal (ESET)
live only
17:45 UTC on Day 2
THURSDAY 01 OCTOBER
A significant portion of the crimeware in Latin America is made up of banking trojans. Due to many common characteristics, these banking trojans are often treated as one. Our ongoing research clearly shows that this is not the case and that at least 11 distinct malware families exist among them. More importantly, they are constantly evolving and incorporating new TTPs.

Over the course of our research one thing has become clear: the operators of these banking trojans appear to be in contact with one another. We first spotted this when examining algorithms used for string encryption. Most Latin American banking trojans use very simple custom encryption schemes that are generally unknown in the broader programming community, and yet we see the same algorithm being used in six different families.

These common features do not end with the binaries’ contents. By examining the distribution chains (usually a combination of several stages written in various scripting languages), we found usage of the same obfuscation methods or packers applied to different scripts.

During our research we encountered some major milestones – changes that affected basically all the families we have identified. We have seen the vast majority of those families transition from VMProtect to Themida – both powerful binary obfuscation tools. Similarly, over a period of just a few months, they globally switched their initial download method to using Microsoft Installer (MSI).

Finally, some TTPs seem to stay strongly rooted deep inside the region. These include the heavily utilization of ZIP archives and use of DLL side-loading as the favoured execution method.

Even though the sharing of knowledge among cybercriminals is not unusual, seeing so many examples of it in region-specific malware families with the same focus caught our attention. Our presentation will cover all the common characteristics we have discovered and include a timeline illustrating the evolution of these banking trojans. We will draw conclusions about which families are most closely interlinked and how the modus operandi of Latin American banking trojans is different from banking trojans in the rest of the world.
Jakub Souček
ESET Jakub Souček graduated from Czech Technical University in Prague. He joined ESET in 2015. His current work there is focused on proactive botnet tracking and deep analysis of malware. He also participates in developing tools to help track botnets and extract useful information about their evolution. In his free time, he enjoys listening to music and is a big fan of many TV series.
Martin Jirkal
ESET Martin Jirkal is analyst team lead and detection engineer in the virus laboratory of ESET in Prague. He is responsible for the detection of new threats, monitoring and detections and of crimeware threats, and education of new ESET talents. He is co-creator and occasional teacher of reverse engineering classes at Czech Technical University in Prague, where he graduated. In addition to IT security and reverse engineering, he also loves complex board and role-playing games.
arrow left Back

LATAM financial cybercrime: competitors in crime sharing TTPs

17:45 - 18:15 UTC Thu 1 Oct 2020
Jakub Souček (ESET) & Martin Jirkal (ESET)
A significant portion of the crimeware in Latin America is made up of banking trojans. Due to many common characteristics, these banking trojans are often treated as one. Our ongoing research clearly shows that this is not the case and that at least 11 distinct malware families exist among them. More importantly, they are constantly evolving and incorporating new TTPs.

Over the course of our research one thing has become clear: the operators of these banking trojans appear to be in contact with one another. We first spotted this when examining algorithms used for string encryption. Most Latin American banking trojans use very simple custom encryption schemes that are generally unknown in the broader programming community, and yet we see the same algorithm being used in six different families.

These common features do not end with the binaries’ contents. By examining the distribution chains (usually a combination of several stages written in various scripting languages), we found usage of the same obfuscation methods or packers applied to different scripts.

During our research we encountered some major milestones – changes that affected basically all the families we have identified. We have seen the vast majority of those families transition from VMProtect to Themida – both powerful binary obfuscation tools. Similarly, over a period of just a few months, they globally switched their initial download method to using Microsoft Installer (MSI).

Finally, some TTPs seem to stay strongly rooted deep inside the region. These include the heavily utilization of ZIP archives and use of DLL side-loading as the favoured execution method.

Even though the sharing of knowledge among cybercriminals is not unusual, seeing so many examples of it in region-specific malware families with the same focus caught our attention. Our presentation will cover all the common characteristics we have discovered and include a timeline illustrating the evolution of these banking trojans. We will draw conclusions about which families are most closely interlinked and how the modus operandi of Latin American banking trojans is different from banking trojans in the rest of the world.
Jakub Souček
ESET Jakub Souček graduated from Czech Technical University in Prague. He joined ESET in 2015. His current work there is focused on proactive botnet tracking and deep analysis of malware. He also participates in developing tools to help track botnets and extract useful information about their evolution. In his free time, he enjoys listening to music and is a big fan of many TV series.
Martin Jirkal
ESET Martin Jirkal is analyst team lead and detection engineer in the virus laboratory of ESET in Prague. He is responsible for the detection of new threats, monitoring and detections and of crimeware threats, and education of new ESET talents. He is co-creator and occasional teacher of reverse engineering classes at Czech Technical University in Prague, where he graduated. In addition to IT security and reverse engineering, he also loves complex board and role-playing games.