The ecosystem of LATAM banking trojans is unique in comparison to other cyber crime operations. It is one of the only regions in which banking trojans are still used heavily to commit banking fraud, while most other banking trojans have since moved on to become backdoors and botnets to furnish ransomware attacks. The threat groups operating out of LATAM and Spain also display a high degree of cross-group collaboration, while sticking to their tried-and-true techniques, seldom found in other regions. Although this does help to quickly identify a “Latin American banking trojan” group or campaign, attribution is often very challenging due to the strong overlaps. Different malware strains will often use similar string encryption algorithms, and several banking trojans are believed to be operated as Malware-as-a-Service or have several independently developed and operated forks. The same applies to the malware distributors, which mainly rely on shared techniques such as public cloud hosting and phishing emails containing PDFs and malicious URLs to download ZIP archives containing the first-stage malware.

In most cases, the first stage is a downloader-type malware. These come in all shapes and sizes and can have varying levels of complexity. A large portion of downloaders are script-based, often featuring lengthy infection chains comprised of scripts including Batch, JavaScript, Visual Basic Script or PowerShell, and the scripts themselves may also be embedded in files such as HTML, LNK (Guildma especially) or MSI installers. The more complex downloaders often support some very basic enumeration on the host, which they pass back to their C2/download server, in order to notify the operators of the potential value of an infection. One example is the Grandoreiro downloader, a member of the Grandoreiro family which features its own string encryption and performs detailed enumeration before downloading the main banking trojan.

Other downloaders are more generic but are also used to download banking trojans such as Grandoreiro. What the latter have in common is that they almost always download a full archive containing a legitimate application, with the malware hidden in a trojanized DLL which is loaded by the application upon execution. The reason for this method of packaging and distribution is so that any potentially suspicious activity performed by the banking trojan appears to EDR solutions as if it is coming from a legitimate executable’s process. This recurring technique is characteristic of the LATAM ecosystem and has been a distinctive feature for several years. In mid-2024, IBM X-Force observed a campaign delivering a new downloader exhibiting the same characteristics. X-Force named the new Golang-based downloader “Picanha.”

The Picanha downloader is the next evolution of this malware type, offering enhanced features such as supporting more download URLs, reliable encryption and a more sophisticated in-memory execution mechanism, surpassing previous downloader capabilities. However, the builder for Picanha, which is responsible for creating the random function names and other values, is likely still under development. Frequent code changes, such as bug fixes and the presence of unused configuration values, may further indicate that future versions could include additional features such as persistence for the downloaded payload.