Latin American banking trojans expand into Europe

ESET Research extensively followed the Latin American banking trojans since last year and found that they share a lot of common characteristics and behavior. Altogether, ESET has identified a dozen different malware families, most of which remain active to this day. The most significant discovery during the course of this investigation is the expansion of Mekotio and Grandoreiro to Europe, mainly Spain.

ESET researchers have also observed occasional small campaigns targeting Italy, France and Belgium. Since Latin American banking trojans expanded to Europe, they have been getting more attention from both researchers and police forces. In the last few months, ESET has seen some of their biggest campaigns to date.

ESET telemetry shows a surprisingly large increase in the reach of Ousaban, Grandoreiro and Casbaneiro in recent months, leading to the conclusion that the threat actors behind these malware families are determined to continue their nefarious actions against users in targeted countries.

The campaigns we see always come in waves and more than 90% of them are distributed through spam, usually leading to a ZIP archive or an MSI installer. One campaign usually lasts for a week at most.

“Brazil is still the most targeted country, followed by Spain and Mexico. Since 2020, Grandoreiro and Mekotio expanded to Europe – mainly Spain. What started as several minor campaigns, likely to test the new territory, evolved into something much bigger. In fact, in August and September 2021, Grandoreiro launched its largest campaign so far and it targeted Spain,” says ESET researcher Jakub Souček, who leads the investigation into Latin American banking trojans.

In June this year, Spanish law enforcement arrested 16 people related to Mekotio and Grandoreiro. In the report, police state that almost €300,000 were stolen and they were able to block the transfer of a total of €3.5 million. Correlating this arrest with Latin American banking trojan activity in Spain, Mekotio seems to have taken a much larger hit than Grandoreiro, leading ESET to believe that the arrested people were more connected to Mekotio. Even though Mekotio went very quiet for almost two months after the arrest, ESET continues to see new campaigns distributing Mekotio.

Latin American banking trojans used to change rapidly. In the early days of ESET’s tracking, some of them were adding to or modifying their core features even several times a month. Nowadays they still change very often, but the core seems to remain mostly untouched. Due to the partially stabilized development, we believe the operators are now focusing on improving distribution.

“Latin American banking trojans require a lot of conditions to attack successfully,” explains Souček. “Potential victims need to follow steps required to install the malware on their machines; they need to visit a targeted website and log into their accounts. On the other side, operators need to react to this situation by manually commanding the malware to display the fake pop-up window and take control of the victim’s machine.”

During the course of this research series, several Latin American banking trojans became inactive, namely, Krachulka, Lokorrito and Zumanek. ESET researchers also discovered Janeleiro, a new Latin American banking trojan. In the future, ESET expects we may see some of these banking trojans expanding to the Android platform.