Picus Threat Library is Updated for Trojans Targeting Banks in Latin America

Banks in Spanish and Portuguese-speaking countries are targetted by Krachulka, Lokorrito, and Zumanek. malware simulations are added to Picus Threat Library.

Hüseyin Can YÜCEEL                                                                                                                              December 27, 2021

Picus Labs has updated the Picus Threat Library with new attack methods for Krachulka, Lokorrito, Zumanek Trojans that are targeting banks in Brazil, Mexico, and Spain. In this blog, techniques used by these malware families will be explored.

Banking trojans have a significant role in the cybercrime scene in Latin America. According to Eset, 11 different malware families that target banks in Spanish and Portuguese-speaking countries share TTPs, indicating that threat actors are cooperating on some level. For example, the same or similar custom encryption schemes are used by these malware families. In this blog, we will be focusing on 3 malware families called Krachulka, Lokorrito, and Zumanek.

Let's start with Krachulka. As a spyware, it gathers classified information from infected systems without the consent of the user and sends gathered information to remote threat actors.

Lokkorito and Zumanek act like a classic Remote Access Trojan (RAT). They go one step further than Krachulka and not only collect information from infected systems but also perform malicious operations such as infecting the target with other malware and performing denial-of-service (DoS) attacks.

Test Your Security Controls Against Malware

KEEP UP TO DATE WITH THE LATEST BLOG POST

red-report-2021

Techniques used by Krachulka, Lokkorito and Zumanek

Krachulka, Lokkorito, and Zumanek malware families utilize 26 techniques and sub-techniques under 10 tactics in the MITRE ATT&CK framework. This section lists malicious behaviors of these malware families by categorizing them using the MITRE ATT&CK v10.0 framework.

1. Initial Access

  • T1566.01 Phishing: Spearphishing Attachment
  • T1566.02 Phishing: Spearphishing Link

2. Execution

  • T1059 Command and Scripting Interpreter
  • T1059.003 Command and Scripting Interpreter: Windows Command Shell  
  • T1059.005 Command and Scripting Interpreter: Visual Basic 
  • T1059.007 Command and Scripting Interpreter: JavaScript/JScript

3. Persistence

  • T1547.001 Boot or Logon Autostart execution: Registry Run Keys/Startup Folder
  • T1574.002 Hijack Execution Flow: DLL Side-Loading

4. Defense Evasion

  • T1140 Deobfuscate/Decode Files or Information
  • T1220 XSL Script Processing
  • T1497.001 Virtualization/Sandbox Evasion: System Checks

5. Collection

  • T1056.001 Input Capture: Keylogging 
  • T1056.002 Input Capture: GUI Input Capture 
  • T1113 Screen Capture

6. Credential Access

  • T1056.003 Credentials from Password Stores: Credentials from Web Browsers

7. Discovery

  • T1010 Application Window Discovery 
  • T1057 Process Discovery
  • T1082 System Information Discovery 
  • T1083 File and Directory Discovery 
  • T1518.001 Software Discovery: Security Software Discovery

8. Command and Control

  • T1132.001 Data Encoding: Standard Encoding 
  • T1132.002 Data Encoding: NonStandard Encoding 
  • T1568.002 Dynamic Resolution: Domain Generation Algorithms
  • T1571 Non-Standard Port

9. Exfiltration

  • T1041 Exfiltration Over C2 Channel
  • T1048 Exfiltration Over Alternative Protocol

Attack Simulation

Picus Continuous Security Validation Platform tests your security controls against Krachulka, Lokorrito and Zumanek and suggests related prevention methods.

Picus Labs advises you to simulate these malware families and determine the effectiveness of your security controls against them. Picus Threat Library includes the following attacks used in the attack campaigns of Krachulka, Lokorrito and Zumanek malware families.

Threat Name

Krachulka Banking Malware .DLL File Download Variant-1

Krachulka Banking Malware .DLL File Download Variant-2

Krachulka Banking Malware .DLL File Download Variant-3

Lokorrito Banking Malware .EXE File Download Variant-1

Zumanek Banking Malware .EXE File Download Variant-1 

Zumanek Banking Malware .EXE File Download Variant-2

Zumanek Banking Malware .EXE File Download Variant-3 

bas-purple-academy

Verified Indicators of Compromise (IOCs)

Krachulka Banking Malware

MD5: 886857aa35a419bc14496e33933a2766

SHA-1: 83bcd611f0fd4d7d06c709bc5e26eb7d4cdf8d01

SHA-256: 3e7d9f16013ecf4b0d168571e43cfcf8a0734d0c9e4521132f184463018c5da4 

 

Krachulka Banking Malware

MD5: 313524bb2f7ab77db89cc409bbbfed41

SHA-1: ffe131add40628b5cf82ec4655518d47d2ab7a28

SHA-256: 8ac4474450cc27f3af0d6a34b1860e0387a3d8ca6811aaad7e1ff375858d08a4 

 

Krachulka Banking Malware

MD5: d7e28b8266e34b6223b0bdacb74d5cb1

SHA-1: 4484ce3014627f8e2bb7129632d5a011cf0e9a2a

SHA-256: b68e1de66d767a05b0cfd3c55608dbac3ff328a04c7b0a3b32dffa266a65e1c1 

 

Lokorrito Banking Malware

MD5: 7ce3a6270ccacd98b764213838a13edb

SHA-1: d30f968741d4023cd8daf716c78510c99a532627

SHA-256: 681f424f36a3b24e64b45ea019585f97511d6ad804407237638cbdf145dd0c2c 

 

Zumanek Banking Malware

MD5: 66ec4dfddf8ca0e5d30a73bf2931d740

SHA-1: 69fd64c9e8638e463294d42b7c0efe249d29c27e

SHA-256: d78a194dd80e0bd247cef0853df95a90d546aa351cabe548e6872f96c7473704 

 

Zumanek Banking Malware

MD5: 9efbb5cf8f05c8bf4eb07e20586e0f97

SHA-1: 59c955c227b83413b4bdf01f7d4090d249408df2

SHA-256: d776d66f419db2bd8089bc21c8734aada7e338d683463d061db3e6b0d24e7900 

 

Zumanek Banking Malware

MD5: 116ba343f4b9692ffb665de3b6e15787

SHA-1: 4e49d878b13e475286c59917cc63db1fa3341c78

SHA-256: 3425bda838d457ae9bc126337208f661982e1ef30b91561004b75362d5411ec4