The Grandoreiro banking trojan was observed in recent cyberattacks against the employees of automotive machinery developers in Mexico and workers of a chemical manufacturer in Spain.
The trojan malware has been circulating in the wild for about half a decade and has remained one of the most significant threats worldwide. The recent campaign was spotted last June and is still active, involving the deployment of the Grandoreiro trojan variant featuring several new features to bypass detection.
The initial infection of Grandoreiro trojan begins with a phishing email.
The infection process of the Grandoreiro trojan begins with a specially crafted email that pretends to have originated from the Spanish Public Ministry or the Attorney General’s Office of Mexico, depending on the target.
The message in the email focuses on the topics of state refunds, cancellation of loans, and notices of litigation changes. Moreover, the email includes a link redirecting victims to a website that launches a ZIP archive.
The file inside the archive contains the Grandoreiro loader module masqueraded as a PDF file to deceive the victim into executing the payload. Once the library is completely downloaded, a Delphi payload is retrieved from a remote HTTP file server, and a compressed 9.2 MB ZIP is extracted and run by the loader.
At this attack stage, the loader collects system information, gathers a list of installed AV solutions, crypto wallets, and e-banking applications, and sends the harvested items to the command-and-control server.
This recent campaign of Grandoreiro shows that its operators are interested in executing highly targeted campaigns instead of deploying a large wave of spam emails to random receivers worldwide.
Furthermore, the consistent upgrade of the malware gives it powerful anti-analysis and detection features that pave the way for other evasive operations from other threat actors.
Although the researchers did not release a detailed report regarding the specific objective of the attack, Grandoreiro’s operators have shown that they are financially motivated. Therefore, experts claim that these threat actors will target more high-end entities.
