grandoreiro banking malware targets manufacturers in spain, mexico

The notorious ‘Grandoreiro’ banking trojan was spotted in recent attacks targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico.

The malware has been active in the wild since at least 2017 and remains one of the most significant threats of its kind for Spanish-speaking users.

The recent campaign, spotted by analysts at Zscaler, started in June 2022 and is still ongoing. It involves the deployment of a Grandoreiro malware variant featuring several new features to evade detection and anti-analysis, as well as a revamped C2 system.

grandoreiro banking malware targets manufacturers in spain, mexico

Victim map of the latest Grandoreiro campaign (Zscaler)

Starts with an email

The infection chain begins with an email pretending to originate from the Attorney General’s Office of Mexico City or the Spanish Public Ministry, depending on the target.

The message topic revolves around state refunds, notices of litigation changes, cancellation of mortgage loans, and more.

grandoreiro banking malware targets manufacturers in spain, mexico

One of the phishing emails used in the latest campaign (Zscaler)

The email contains a link redirecting victims to a website that drops a ZIP archive. That file encloses the Grandoreiro loader module masqueraded as a PDF file to trick the victim into launching it.

Once this happens, a Delphi payload is fetched from a remote HTTP file server (“http://15[.]188[.]63[.]127:36992/zxeTYhO.xml”) in the form of a compressed 9.2MB ZIP and is extracted and executed by the loader.

grandoreiro banking malware targets manufacturers in spain, mexico

Grandoreiro’s latest infection chain (Zscaler)

During that stage, the loader gathers system information, retrieves a list of installed AV programs, cryptocurrency wallets, and e-banking apps, and sends them to the C2.

The final payload, signed with a certificate stolen from ASUSTEK, assumes an inflated size of 400MB through the method of “binary padding” to evade sandbox analysis.

grandoreiro banking malware targets manufacturers in spain, mexico

The certificate that signs the final payload (Zscaler)

In one case highlighted by security analyst Ankit Anubhav on Twitter, Grandoreiro even asks the victim to solve a CAPTCHA to run on the system, which is another attempt to evade analysis.

grandoreiro banking malware targets manufacturers in spain, mexico

CAPTCHA step served on the victim (@ankit_anubhav)

Finally, persistence between reboots is maintained by adding two new Registry keys, setting Grandoreiro to launch at system startup.

grandoreiro banking malware targets manufacturers in spain, mexico

Registry keys added on breached systems (Zscaler)

Grandoreiro features

One of the new additions in the latest Grandoreiro variant sampled by Zscaler is the use of DGA (domain generation algorithm) for C2 communications, which makes mapping the malware’s infrastructure and taking it down challenging.

The C2 communication pattern is now identical to that of LatentBot, using “ACTION+HELLO” beacons and ID-based cookie value responses.

Portuguese cybersecurity blogger Pedro Taveres first spotted the commonalities between the two malware strains in 2020, but the assimilation of the C2 communication techniques into Grandoreiro’s code was completed only recently.

The backdoor capabilities of the malware on the host include:

  • Keylogging
  • Auto-Updation for newer versions and modules
  • Web-Injects and restricting access to specific websites
  • Command execution
  • Manipulating windows
  • Guiding the victim’s browser to a specific URL
  • C2 Domain Generation via DGA (Domain Generation Algorithm)
  • Imitating mouse and keyboard movements

Outlook

The recent campaign indicates that Grandoreiro’s operators are interested in conducting highly-targeted attacks instead of sending large volumes of spam emails to random recipients.

Also, the continual evolution of the malware giving it stronger anti-analysis and detection avoidance features, lays the ground for stealthier operations.

While Zscaler’s report doesn’t dive deep into the specific goals of the current campaign, Grandoreiro’s operators have historically demonstrated financial motives, so it’s assumed the case remains the same.

Keyword: Grandoreiro banking malware targets manufacturers in Spain, Mexico

TECH'S NEWS RELATED

Avast Commits to Becoming a Founder of the OpenWallet Foundation 

As a first step, Avast joins newly formed Linux Foundation Europe as an inaugural member Avast, a global leader in security and privacy, is publicly committing to becoming one of the founding supporters of the OpenWallet Foundation (OWF). The OWF is the inaugural project of the newly formed Linux ...

View more: Avast Commits to Becoming a Founder of the OpenWallet Foundation 

Synthetic data is the safe, low-cost alternative to real data that we need

Samsung launches credit card in India with 10% cashback on its products 24/7

ETtech The card also offers complimentary airport lounge access, fuel surcharge waiver, dining offers and access to a bouquet of offers from Axis Bank and Visa. Samsung India on Monday announced its first-ever credit card in India in partnership with Axis Bank and Visa, that will give customers 10% cashback ...

View more: Samsung launches credit card in India with 10% cashback on its products 24/7

Will have own platform to live-stream proceedings: SC

AgenciesThe Supreme Court on Monday said it will have its own “platform” to live-stream its proceedings and the use of YouTube for the purpose is temporary. A bench headed by Chief Justice Uday Umesh Lalit said this when former BJP leader K N Govindacharya’s counsel argued that the copyright of ...

View more: Will have own platform to live-stream proceedings: SC

Malaysia police force said online scam cases have increased higher each year

You would think that most Malaysians would know how to dodge a potential online scam, but according to the Malaysian police force, that’s the opposite. Just recently, Inspector-General of Police Tan Sri Acryl Sani Abdullah Sani told the media that online scams were increasing instead. In the statistics that ...

View more: Malaysia police force said online scam cases have increased higher each year

AirPods Pro 2 Has Connectivity Issue, Says Users

AirPods Pro 2 Connectivity Issues Details What Is Causing The Issues? How To Fix The Problems If you’re experiencing sporadic connectivity with your new AirPods Pro 2, you’re not the only one. AirPods Pro 2 users have been reporting that their earbuds are not working due to them randomly ...

View more: AirPods Pro 2 Has Connectivity Issue, Says Users

Demand for driving safety monitoring chips on track to grow fast

Chip demand for driving safety is poised to enter a period of rapid growth as many countries are introducing regulations requiring installation of related safety systems, including driver monitoring systems (DMS), in new vehicles, according to industry sources. Regulations often bring restrictions to industry players, but in the field ...

View more: Demand for driving safety monitoring chips on track to grow fast

Samsung's ups and downs (9): Its role on the international stage

In the medium to long term, the most likely candidate that could beat TSMC is not Samsung Electronics, but Intel. South Korea, like Taiwan, sees its advantage in hardware manufacturing and cost efficiency. Even its branding business success means more on the hardware side; it is neither one that ...

View more: Samsung's ups and downs (9): Its role on the international stage

Apple announces that the iPhone 14 will be manufactured in India

Wuling launches new convertible mini EV for less than $15,000

iPhone Users Are Experiencing Battery Life Issues After Updating to iOS 16

Street Mania showcases street-car culture

Xiaohongshu CFO resigns after less than two years on the job

How to Find Drafts on Instagram

Samsung patents a facial recognition system with dual under-display cameras

Instagram new feature allows users to post Stories up to 60 seconds

CIMB Clicks users must update to the latest version before 8 October to continue using the app

In the age of the partner, Cisco guns for growth

Optus faces potential class action over data breach

The AV1 codec is coming, and it's a big deal

OTHER TECH NEWS

;