{
	"id": "c0766ff7-172b-48d0-af71-4b6856faf82b",
	"created_at": "2026-04-06T00:08:19.595133Z",
	"updated_at": "2026-04-10T03:21:24.213035Z",
	"deleted_at": null,
	"sha1_hash": "19bb0842ce7de5673612eacd9f43dd1fe73c23c1",
	"title": "LATAM financial cybercrime: Competitors-in-crime sharing TTPs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 324910,
	"plain_text": "LATAM financial cybercrime: Competitors-in-crime sharing TTPs\r\nBy ESET Research\r\nArchived: 2026-04-05 22:59:23 UTC\r\nESET Research\r\nESET researchers discover surprisingly many indicators of close cooperation among Latin American banking trojans’\r\nauthors\r\n01 Oct 2020  •  , 5 min. read\r\nESET has published a white paper detailing its findings about interconnectivity of Latin American banking trojan families.\r\nThe white paper was also published by Virus Bulletin.\r\nOverview\r\nFor a long time, Latin American banking trojans were looked upon as one group of malware. ESET researchers discovered\r\nthat is not the case and that, despite having so much in common, multiple distinct malware families can be recognized\r\namong these banking trojans. Over the past year, we have been publishing an ongoing blogpost series about Latin American\r\nbanking trojan malware families. These blogposts focus mainly on the most important and interesting aspects of these\r\nfamilies. So far, we have unmasked Amavaldo, Casbaneiro, Mispadu, Guildma, Grandoreiro and Mekotio in this series. In\r\nthe pieces to come, we will continue with Krachulka, Lokorrito, Numando, Vadokrist and Zumanek.\r\nIn this white paper, we look at these families from a higher-level perspective – rather than examining details of each family\r\nand highlighting their unique characteristics, we focus on what they have in common. If you've been following our series,\r\nyou may have noticed some similarities between multiple families in our series, such as using the same uncommon\r\nalgorithm to encrypt strings or suspiciously similar DGAs to obtain C\u0026C server addresses.\r\nThe first similarities we spotted are in the actual implementation of these banking trojans. The most obvious one is the\r\npractically identical implementation of the banking trojans’ cores – sending notification to operator, periodically scanning\r\nactive windows based on name or title, and attacking via fake pop-up windows designed carefully in an attempt to lure out\r\nsensitive information from victims. Besides that, these malware families share uncommon third-party libraries, string\r\nencryption algorithms, and string and binary obfuscation techniques.\r\nHowever, the similarities do not end there. When analyzing the distribution chains of these malware families, we realized\r\nthey share the same core logic, too – they usually check for a marker (an object, such as a file or registry key value used to\r\nindicate that the machine has already been compromised), and download data in ZIP archives. Besides that, we have\r\nobserved identical distribution chains ending up distributing multiple Latin American banking trojans. It is also worth\r\nmentioning that since 2019, the vast majority of these malware families started to utilize Windows Installer (MSI files) as\r\nthe first stage of the distribution chain.\r\nLatin American banking trojans share execution methods as well. They tend to bring their own tools bundled in the\r\naforementioned ZIP archives. The two most common methods are DLL side-loading and abusing a legitimate AutoIt\r\ninterpreter. Additionally, when using the former method, multiple families abuse the same vulnerable applications for that\r\npurpose (so-called Bring Your Own Vulnerable Software).\r\nhttps://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/\r\nPage 1 of 4\n\nThe term “Latin American banking trojan” comes from the region these banking trojans typically target – Latin America.\r\nHowever, since late 2019, we see several of them adding Spain and Portugal to the list of countries they target. Moreover,\r\ndifferent families use similar spam email templates in their latest campaigns, almost as if this were a coordinated move as\r\nwell.\r\nGiven so many similarities, one would expect the fake pop-up windows these banking trojans use to be shared too. In fact,\r\nthe opposite seems to be the case. Even though the windows look similar (since they are designed to fool customers of the\r\nsame financial institutions), we have not spotted multiple families using identical windows.\r\nSince we do not believe it to be possible that independent malware authors would come up with so many common ideas and\r\nwe also don’t believe one group to be responsible for maintaining all these malware families, we conclude that these are\r\nmultiple threat actors closely cooperating with each other. You can find detailed information about the similarities we briefly\r\nintroduced here, in the whitepaper.\r\nMITRE ATT\u0026CK techniques\r\nIn the table below, which is an aggregate of the techniques based on the standard MITRE ATT\u0026CK table, we illustrate many\r\nof the features Latin American banking trojans share. It is not an exhaustive list, but rather one that focuses on the\r\nsimilarities. It shows mainly that:\r\nphishing is the most common attack vector\r\nthey heavily rely on scripting languages, mainly VBScript\r\nRegistry Run key or Startup folder are the most common methods of persistence\r\nthey all obfuscate either payloads or configuration data in some way\r\nthey heavily favor DLL side-loading\r\nto steal credentials, they tend to use either fake pop-up windows or keyloggers\r\nthey devote considerable effort to collect screenshots and scan for security software\r\ncustom encryption algorithms are favored over established ones\r\nthey do not exfiltrate all harvested data to the C\u0026C server, but use different locations as well\r\nNote: This table was built using version 7 of the MITRE ATT\u0026CK framework. It was updated on May 5th, 2021, to include\r\nfindings from our research into Ousaban.\r\nTactic ID Name Amavaldo Casbaneiro Grandoreiro Guildma Krachulka Lokorrito Me\r\nInitial\r\nAccess\r\nT1566.001\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\n✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1566.002\r\nPhishing:\r\nSpearphishing Link ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nExecution\r\nT1059.005\r\nCommand and\r\nScripting Interpreter:\r\nVisual Basic\r\n✅ ✅ ✅ ❌ ✅ ✅ ✅\r\nT1059.007\r\nCommand and\r\nScripting Interpreter:\r\nJavaScript/JScript\r\n✅ ✅ ❌ ✅ ❌ ❌ ✅\r\nT1059.003\r\nCommand and\r\nScripting Interpreter:\r\nWindows Command\r\nShell\r\n❌ ✅ ✅ ❌ ✅ ❌ ✅\r\nT1059.001\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\n✅ ✅ ❌ ❌ ❌ ❌ ✅\r\nT1047\r\nWindows Management\r\nInstrumentation ✅ ❌ ❌ ✅ ❌ ❌ ✅\r\nT1059\r\nCommand and\r\nScripting Interpreter ❌ ✅ ❌ ❌ ✅ ❌ ✅\r\nPersistence\r\nT1547.001\r\nBoot or Logon\r\nAutostart execution:\r\nRegistry Run Keys /\r\nStartup Folder\r\n✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nhttps://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/\r\nPage 2 of 4\n\nTactic ID Name Amavaldo Casbaneiro Grandoreiro Guildma Krachulka Lokorrito Me\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task ✅ ✅ ❌ ❌ ❌ ❌ ❌\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1574.002\r\nHijack Execution Flow:\r\nDLL Side-Loading ✅ ✅ ❌ ✅ ✅ ✅ ✅\r\nT1497.001\r\nVirtualization/Sandbox\r\nEvasion: System\r\nChecks\r\n✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1218.007\r\nSigned Binary Proxy\r\nExecution: Msiexec ✅ ✅ ❌ ❌ ❌ ❌ ✅\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\n❌ ✅ ✅ ✅ ❌ ❌ ❌\r\nT1197 BITS Jobs ❌ ✅ ❌ ✅ ✅ ❌ ✅\r\nT1112 Modify Registry ✅ ✅ ✅ ✅ ❌ ❌ ❌\r\nT1218.011\r\nSigned Binary Proxy\r\nExecution: Rundll32 ❌ ✅ ❌ ✅ ❌ ❌ ❌\r\nT1027.001\r\nObfuscated Files or\r\nInformation: Binary\r\nPadding\r\n❌ ✅ ✅ ❌ ❌ ❌ ✅\r\nT1220 XSL Script Processing ✅ ❌ ❌ ✅ ❌ ❌ ✅\r\nCredential\r\nAccess\r\nT1056.002\r\nInput Capture: GUI\r\nInput Capture ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1056.001\r\nInput Capture:\r\nKeylogging ✅ ✅ ✅ ❌ ✅ ✅ ✅\r\nT1555.003\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\n✅ ✅ ✅ ✅ ❌ ✅ ✅\r\nT1552.001\r\nUnsecured\r\nCredentials: Credentials\r\nIn Files\r\n❌ ✅ ✅ ✅ ❌ ❌ ❌\r\nDiscovery\r\nT1010\r\nApplication Window\r\nDiscovery ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1518.001\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\n✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1082\r\nSystem Information\r\nDiscovery ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1083\r\nFile and Directory\r\nDiscovery ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1057 Process Discovery ❌ ✅ ✅ ❌ ✅ ✅ ✅\r\nCollection\r\nT1113 Screen Capture ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1115 Clipboard Data ✅ ✅ ❌ ❌ ❌ ❌ ✅\r\nCommand\r\nand\r\nControl\r\nT1132.002\r\nData Encoding: Non-Standard Encoding ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1571 Non-Standard Port ✅ ✅ ✅ ❌ ✅ ❌ ✅\r\nhttps://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/\r\nPage 3 of 4\n\nTactic ID Name Amavaldo Casbaneiro Grandoreiro Guildma Krachulka Lokorrito Me\r\nT1132.001\r\nData Encoding:\r\nStandard Encoding ❌ ✅ ✅ ✅ ✅ ❌ ❌\r\nT1568.002\r\nDynamic Resolution:\r\nDomain Generation\r\nAlgorithms\r\n❌ ❌ ✅ ❌ ✅ ❌ ✅\r\nT1568.003\r\nDynamic Resolution:\r\nDNS Calculation ❌ ✅ ❌ ❌ ❌ ❌ ✅\r\nExfiltration T1048\r\nExfiltration Over\r\nAlternative Protocol ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nT1041\r\nExfiltration\r\nOver C2\r\nChannel\r\n✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅\r\nAs you can see, Latin American banking trojans, while having their differences, have many crucial features in common.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/\r\nhttps://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/"
	],
	"report_names": [
		"latam-financial-cybercrime-competitors-crime-sharing-ttps"
	],
	"threat_actors": [],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19bb0842ce7de5673612eacd9f43dd1fe73c23c1.pdf",
		"text": "https://archive.orkl.eu/19bb0842ce7de5673612eacd9f43dd1fe73c23c1.txt",
		"img": "https://archive.orkl.eu/19bb0842ce7de5673612eacd9f43dd1fe73c23c1.jpg"
	}
}