Threat Watch

Numando Banking Trojan Targets Latin America

A new banking Trojan named Numando has been outlined by ESET as part of a series on malware in Latin America. The Trojan has been active since 2018 and is written in Delphi. The main goal of the Trojan, once downloaded, is to display fake financial website overlays on victims’ computers to trick them into giving away sensitive information such as credentials. The main distribution for Numando is via spam campaigns and phishing emails where a .ZIP file will be sent as a decoy to victims. The file contains a .CAB archive bundled with a legitimate software application, an injector, and the Trojan. The malware is hidden in a large .BMP file. If the software app is executed, the injector is side-loaded and the malware is then decrypted using an XOR algorithm and a key. Numando is also delivered by abusing public services such as Pastebin and YouTube. Google has been made aware of many videos used to spread the Trojan and has taken them down.


According to researchers this malware is not very sophisticated and the lack of infections that have been seen proves this. This Trojan is also not under continuous development, so it can be detected by antivirus and other detection software. Numando is also able to simulate mouse clicks and keyboard actions, hijack PC shutdown and restart functions, take screenshots, and kill browser processes. It is best practice to use antivirus software on personal computers routinely to check for any type of malware living on the machine. For corporations, a security monitoring service such as Binary Defense’s Managed Detection and Response is best to actively monitor for any threats towards the organization.