Picus Threat Library Is Updated for Trojans Targeting Banks in Latin America

Picus Labs has updated the Picus Threat Library with new attack methods for Krachulka, Lokorrito, Zumanek Trojans that are targeting banks in Brazil, Mexico, and Spain. In this blog, techniques used by these malware families will be explored.

Banking trojans have a significant role in the cybercrime scene in Latin America. According to Eset, 11 different malware families that target banks in Spanish and Portuguese-speaking countries share TTPs, indicating that threat actors are cooperating on some level. For example, the same or similar custom encryption schemes are used by these malware families. In this blog, we will be focusing on 3 malware families called Krachulka, Lokorrito, and Zumanek.

Let’s start with Krachulka. As a spyware, it gathers classified information from infected systems without the consent of the user and sends gathered information to remote threat actors.

Lokkorito and Zumanek act like a classic Remote Access Trojan (RAT). They go one step further than Krachulka and not only collect information from infected systems but also perform malicious operations such as infecting the target with other malware and performing denial-of-service (DoS) attacks.

Test your security controls now: Prevent Log4Shell Exploits with Picus

Techniques used by Krachulka, Lokkorito and Zumanek

Krachulka, Lokkorito, and Zumanek malware families utilize 26 techniques and sub-techniques under 10 tactics in the MITRE ATT&CK framework. This section lists malicious behaviors of these malware families by categorizing them using the MITRE ATT&CK v10.0 framework.

1. Initial Access

  • T1566.01 Phishing: Spearphishing Attachment
  • T1566.02 Phishing: Spearphishing Link

2. Execution

  • T1059 Command and Scripting Interpreter
  • T1059.003 Command and Scripting Interpreter: Windows Command Shell  
  • T1059.005 Command and Scripting Interpreter: Visual Basic 
  • T1059.007 Command and Scripting Interpreter: JavaScript/JScript

3. Persistence

  • T1547.001 Boot or Logon Autostart execution: Registry Run Keys/Startup Folder
  • T1574.002 Hijack Execution Flow: DLL Side-Loading

4.Defense Evasion

  • T1140 Deobfuscate/Decode Files or Information
  • T1220 XSL Script Processing
  • T1497.001 Virtualization/Sandbox Evasion: System…