Organizations within the Spanish-speaking nations of Mexico and Spain are within the crosshairs of a brand new marketing campaign designed to ship the Grandoreiro banking trojan.
“On this marketing campaign, the risk actors impersonate authorities officers from the Legal professional Normal’s Workplace of Mexico Metropolis and from the Public Ministry within the type of spear-phishing emails with a view to lure victims to obtain and execute ‘Grandoreiro,’ a prolific banking trojan that has been lively since at the least 2016, and that particularly targets customers in Latin America,” Zscaler mentioned in a report.
The continuing assaults, which commenced in June 2022, have been noticed to focus on automotive, civil and industrial development, logistics, and equipment sectors by way of a number of an infection chains in Mexico and chemical substances manufacturing industries in Spain.
Assault chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded hyperlink that retrieves a ZIP archive, from which is extracted a loader that masquerades as a PDF doc to set off the execution.
The phishing messages prominently incorporate themes revolving round fee refunds, litigation notifications, cancellation of mortgage loans, and deposit vouchers, to activate the infections.
“This [loader] is answerable for downloading, extracting and executing the ultimate 400MB ‘Grandoreiro’ payload from a Distant HFS server which additional communicates with the [command-and-control] Server utilizing site visitors similar to LatentBot,” Zscaler researcher Niraj Shivtarkar mentioned.
That is not all. The loader can also be designed to assemble system data, retrieve a listing of put in antivirus options, cryptocurrency wallets, banking, and mail apps, and exfiltrate the knowledge to a distant server.
Noticed within the wild for at the least six years, Grandoreiro is a modular backdoor with an array of functionalities that permits it to file keystrokes, execute arbitrary instructions, mimic mouse and keyboard actions, prohibit entry to particular web sites, auto-update itself, and set up persistence by way of a Home windows Registry change.
What’s extra, the malware is written in Delphi and makes use of methods like binary padding to inflate the binary dimension by 200MB, CAPTCHA implementation for sandbox evasion, and C2 communication utilizing subdomains generated by way of a website era algorithm (DGA).
The CAPTCHA method, particularly, requires the handbook completion of the challenge-response take a look at to execute the malware within the compromised machine, which means that the implant will not be run except and till the CAPTCHA is solved by the sufferer.
The findings counsel that Grandoreiro is repeatedly evolving into a complicated malware with novel anti-analysis traits, granting the attackers full distant entry capabilities and posing important threats to staff and their organizations.
The event additionally arrives a bit of over a 12 months after Spanish legislation enforcement businesses apprehended 16 people belonging to a prison community in reference to working Mekotio and Grandoreiro in July 2021.
