Picus Labs has updated the Picus Threat Library with new attack methods for Krachulka, Lokorrito, Zumanek Trojans that are targeting banks in Brazil, Mexico, and Spain. In this blog, techniques used by these malware families will be explored. Banking trojans have a significant role in the cybercrime scene in Latin America. According to Eset, 11 different malware families that target banks in Spanish and Portuguese-speaking countries share TTPs, indicating that threat actors are cooperating on some level. For example, the same or similar custom encryption schemes are used by these malware families. In this blog, we will be focusing on 3 malware families called Krachulka, Lokorrito, and Zumanek. Let's start with Krachulka. As a spyware, it gathers classified information from infected systems without the consent of the user and sends gathered information to remote threat actors. Lokkorito and Zumanek act like a classic Remote Access Trojan (RAT). They go one step further than Krachulka and not only collect information from infected systems but also perform malicious operations such as infecting the target with other malware and performing denial-of-service (DoS) attacks. Test your security controls now: Prevent Log4Shell Exploits with Picus Techniques used by Krachulka, Lokkorito and Zumanek Krachulka, Lokkorito, and Zumanek malware families utilize 26 techniques and sub-techniques under 10 tactics in the MITRE ATT&CK framework. This section lists malicious behaviors of these malware families by categorizing them using the MITRE ATT&CK v10.0 framework. 1. Initial Access T1566.01 Phishing: Spearphishing Attachment T1566.02 Phishing: Spearphishing Link 2. Execution T1059 Command and Scripting Interpreter T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.005 Command and Scripting Interpreter: Visual Basic T1059.007 Command and Scripting Interpreter: JavaScript/JScript 3. Persistence T1547.001 Boot or Logon Autostart execution: Registry Run Keys/Startup Folder T1574.002 Hijack Execution Flow: DLL Side-Loading 4.Defense Evasion T1140 Deobfuscate/Decode Files or Information T1220 XSL Script Processing T1497.001 Virtualization/Sandbox Evasion: System Checks 5.Collection T1056.001 Input Capture: Keylogging T1056.002 Input Capture: GUI Input Capture T1113 Screen Capture 6. Credential Access T1056.003 Credentials from Password Stores: Credentials from Web Browsers 7. Discovery T1010 Application Window Discovery T1057 Process Discovery T1082 System Information Discovery T1083 File and Directory Discovery T1518.001 Software Discovery: Security Software Discovery 8. Command and Control T1132.001 Data Encoding: Standard Encoding T1132.002 Data Encoding: NonStandard Encoding T1568.002 Dynamic Resolution: Domain Generation Algorithms T1571 Non-Standard Port 9. Exfiltration T1041 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol Attack Simulation Picus Continuous Security Validation Platform tests your security controls against Krachulka, Lokorrito and Zumanek and suggests related prevention methods. Picus Labs advises you to simulate these malware families and determine the effectiveness of your security controls against them. Picus Threat Library includes the following attacks used in the attack campaigns of Krachulka, Lokorrito and Zumanek malware families. Threat Name Krachulka Banking Malware .DLL File Download Variant-1 Krachulka Banking Malware .DLL File Download Variant-2 Krachulka Banking Malware .DLL File Download Variant-3 Lokorrito Banking Malware .EXE File Download Variant-1 Zumanek Banking Malware .EXE File Download Variant-1 Zumanek Banking Malware .EXE File Download Variant-2 Zumanek Banking Malware .EXE File Download Variant-3 Verified Indicators of Compromise (IOCs) Krachulka Banking Malware MD5: 886857aa35a419bc14496e33933a2766 SHA-1: 83bcd611f0fd4d7d06c709bc5e26eb7d4cdf8d01 SHA-256: 3e7d9f16013ecf4b0d168571e43cfcf8a0734d0c9e4521132f184463018c5da4 Krachulka Banking Malware MD5: 313524bb2f7ab77db89cc409bbbfed41 SHA-1: ffe131add40628b5cf82ec4655518d47d2ab7a28 SHA-256: 8ac4474450cc27f3af0d6a34b1860e0387a3d8ca6811aaad7e1ff375858d08a4 Krachulka Banking Malware MD5: d7e28b8266e34b6223b0bdacb74d5cb1 SHA-1: 4484ce3014627f8e2bb7129632d5a011cf0e9a2a SHA-256: b68e1de66d767a05b0cfd3c55608dbac3ff328a04c7b0a3b32dffa266a65e1c1 Lokorrito Banking Malware MD5: 7ce3a6270ccacd98b764213838a13edb SHA-1: d30f968741d4023cd8daf716c78510c99a532627 SHA-256: 681f424f36a3b24e64b45ea019585f97511d6ad804407237638cbdf145dd0c2c Zumanek Banking Malware MD5: 66ec4dfddf8ca0e5d30a73bf2931d740 SHA-1: 69fd64c9e8638e463294d42b7c0efe249d29c27e SHA-256: d78a194dd80e0bd247cef0853df95a90d546aa351cabe548e6872f96c7473704 Zumanek Banking Malware MD5: 9efbb5cf8f05c8bf4eb07e20586e0f97 SHA-1: 59c955c227b83413b4bdf01f7d4090d249408df2 SHA-256: d776d66f419db2bd8089bc21c8734aada7e338d683463d061db3e6b0d24e7900 Zumanek Banking Malware MD5: 116ba343f4b9692ffb665de3b6e15787 SHA-1: 4e49d878b13e475286c59917cc63db1fa3341c78 SHA-256: 3425bda838d457ae9bc126337208f661982e1ef30b91561004b75362d5411ec4