Fraud Management & Cybercrime
,
Incident & Breach Response
,
Malware as-a-Service
Grandoreiro Banking Trojan Impersonates Mexican Government Officials
Researchers uncovered an ongoing spear-phishing campaign targeting Spanish-speaking nations of Mexico and Spain that work across a variety of different industry verticals such as automotive, chemicals manufacturing and others.
See Also: Webinar | Prevent, Detect & Restore: Data Security Backup Systems Made Easy
In the latest campaign that began in June 2022, researchers observed the notorious Grandoreiro banking Trojan impersonating Mexican government officials, according to a report by Zscaler ThreatLabz.
The Grandoreiro Trojan, which has been active since 2016, lures victims to download and execute the Trojan by impersonating the Attorney General’s Office of Mexico City and the Public Ministry to specifically targets users in Latin America.
In the latest campaign, researchers observed attackers targeting industries in logistics, machinery, automotive and civil and industrial construction in Mexico. In Spain, attackers are focused on targeting chemical manufacturing industries.
“Grandoreiro is written in Delphi and utilizes techniques like binary padding to inflate binaries, Captcha implementation for sandbox evasion, and command-and-control (CnC) communication using patterns that are identical to LatentBot,” researchers say.
Attack Techniques
The campaign begins with a spear-phishing email written in Spanish, and the email consists of an embedded link that redirects the victim to a website that further downloads a malicious ZIP archive on the victim’s machine.
This archive is bundled with the Grandoreiro Trojan that disguises itself as a PDF Icon to further lure victims into the execution, which leads to the downloading, extracting and executing final 400MB “Grandoreiro” payload from a remote HFS server.
Researchers observed two separate types of phishing emails used in this specific campaign.
In the first campaign, they found that the first set of phishing emails observed were those in which the threat actors impersonated the government officials and instructed victims to download and share the Provisional Archiving Resolution.
Here the threat actors posed as the current Attorney General of Mexico “Alejandro Gertz Manero,” and the subject space and the signature area were displayed the Attorney General’s Office “Fiscalia General de Justicia” to make it look genuine.
In addition, the email notifies the victims about the Provisional Archiving Resolution and directs users to download and share the Resolution before a specified date, after which the payment would not be refunded.
Once a victim clicks on the link provided in the phishing email, they are redirected to a malicious domain: http[:]//barusgorlerat[.]me, and then downloads a ZIP file from the remote server consisting of the Grandoreiro Loader.
Whereas, another lure used “Alejandra Solano – from the Public Ministry – Early Decision and Litigation Section” and asked the victim to download and share the Provisional Archiving Resolution, where the embedded link redirected users to another domain: http[:]//damacenapirescontab[.]com. Here the subject line was used as, “Notificación del Ministerio Público.”
In the second set of phishing emails, researchers observed the use of lures such as “Cancellation of Mortgage Loan and Deposit Voucher Slip.” Researchers observed the email content to be luring victims about the cancellation of a mortgage loan, in which the threat actors asked victims’ to download a mortgage cancellation form by opening the embedded link.
“Once the link is opened it redirects to the malicious domain: http[:]//assesorattlas[.]me which then further downloads a ZIP File consisting of the Grandoreiro Loader,” researchers say.
In all the phishing emails, researchers observed that the ZIP file extracts two files with extensions .exe and .xml files. In this .xml file is not an XML file but a portable executable with the original name “Extensions.dll.” This file is signed with a valid “ASUSTEK COMPUTER INCORPORATION” certificate.
The other .exe file is the Grandoreiro Loader module that disguises itself as a PDF icon.
Once the Grandoreiro Trojan is installed in a victim device, it has backdoor capabilities to perform espionage.
Some of the key capabilities include keylogging, auto-update for newer versions and modules, web-Injects and restricting access to specific websites, command execution, manipulating windows, guiding the victim’s browser to a certain URL and imitating mouse and keyboard movements.
“We came across another ongoing Grandoreiro campaign with an extra anti-sandbox technique used by the malware authors. This technique requires a Captcha to be filled manually to execute the malware in the victim’s machine. The malware is not executed until or unless the Captcha is filled,” researchers say.
Previous Campaign
In a previous campaign tracked by Kaspersky, researchers found that the malware was initially targeting victims in Brazil, Mexico, Spain and Portugal, although it’s possible that it has spread to other countries as well.
Kaspersky said that the Trojan is not connected with a specific group or operator and has been offered as a service model for other cybercriminals and fraudsters to rent.
In addition to spreading via spear-phishing attacks, Grandoreiro is hidden in compromised websites. It also hides its communications with the command-and-control server through legitimate third-party websites to help it evade security tools, according to Kaspersky.
“Brazilian crooks are rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work within other countries, adopting MaaS [malware-as-a-service] and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners,” the report said.
Spanish Banking Trojan Attacks Various Industry Verticals & Latest News Update
Spanish Banking Trojan Attacks Various Industry Verticals & More Live News
All this news that I have made and shared for you people, you will like it very much and in it we keep bringing topics for you people like every time so that you keep getting news information like trending topics and you It is our goal to be able to get
all kinds of news without going through us so that we can reach you the latest and best news for free so that you can move ahead further by getting the information of that news together with you. Later on, we will continue
to give information about more today world news update types of latest news through posts on our website so that you always keep moving forward in that news and whatever kind of information will be there, it will definitely be conveyed to you people.
Spanish Banking Trojan Attacks Various Industry Verticals & More News Today
All this news that I have brought up to you or will be the most different and best news that you people are not going to get anywhere, along with the information Trending News, Breaking News, Health News, Science News, Sports News, Entertainment News, Technology News, Business News, World News of this made available to all of you so that you are always connected with the news, stay ahead in the matter and keep getting today news all types of news for free till today so that you can get the news by getting it. Always take two steps forward
Credit Goes To News Website – This Original Content Owner News Website . This Is Not My Content So If You Want To Read Original Content You Can Follow Below Links