Pierluigi Paganini August 21, 2022

A new Grandoreiro banking malware campaign is targeting organizations in Mexico and Spain, Zscaler reported.

Zscaler ThreatLabz researchers observed a Grandoreiro banking malware campaign targeting organizations in the Spanish-speaking nations of Mexico and Spain.

Grandoreiro is a modular backdoor that supports the following capabilities:

• Keylogging
• Auto-Updation for newer versions and modules
• Web-Injects and restricting access to specific websites
• Command execution
• Manipulating windows
• Guiding the victim’s browser to a certain URL
• C2 Domain Generation via DGA (Domain Generation Algorithm)
• Imitating mouse and keyboard movements

The campaign began in June 2022 and is still ongoing, the attacks hit organizations in multiple industries, such as Automotive, Chemicals Manufacturing, and others. The threat actors behind this campaign impersonate Mexican Government Officials, the malware uses multiple anti-analysis techniques along with implementation of Captcha for evading Sandboxes.

“In this campaign, the threat actors impersonate government officials from the Attorney General’s Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute “Grandoreiro” a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America.” reads the post published by Zscaler. “Grandoreiro is written in Delphi and utilizes techniques like binary padding to inflate binaries, Captcha implementation for sandbox evasion, and command-and-control (CnC) communication using patterns that are identical to LatentBot.”

The infection chain begins with a spear-phishing message written in Spanish that includes a link that points to a website that further downloads a malicious ZIP archive on the victim’s machine. The messages use payment refunds, litigation notifications, cancellation of mortgage loans, and deposit vouchers as lures.

The ZIP archive contains the Grandoreiro Loader module with a PDF Icon in order to lure the victim into opening it. Once the file is opened, it downloads and executes the “Grandoreiro” payload (400MB) from a Remote HFS server which further communicates with the C2 server using traffic identical to LatentBot

That’s not all. The loader is also designed to gather system information, retrieve a list of installed antivirus solutions, cryptocurrency wallets, banking, and mail apps, and exfiltrate the information to a remote server.

Grandoreiro is a continuously evolving threat that represents a serious threat to organizations worldwide.

“The threat actors behind Grandoreiro Banking malware are continuously evolving their tactics and malware to successfully carry out attacks against their targets by incorporating new anti-analysis tricks to evade security solutions; inheriting features from other Malware families.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]