Fraud Management & Cybercrime , Incident & Breach Response , Malware as-a-Service

Spanish-Language Trojan Targets Many Industry Verticals

Grandoreiro Banking Trojan Impersonates Mexican Government Officials
Spanish-Language Trojan Targets Many Industry Verticals

Researchers uncovered an ongoing spear-phishing campaign targeting Spanish-speaking nations of Mexico and Spain that work across a variety of different industry verticals such as automotive, chemicals manufacturing and others.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

In the latest campaign that began in June 2022, researchers observed the notorious Grandoreiro banking Trojan impersonating Mexican government officials, according to a report by Zscaler ThreatLabz.

The Grandoreiro Trojan, which has been active since 2016, lures victims to download and execute the Trojan by impersonating the Attorney General's Office of Mexico City and the Public Ministry to specifically targets users in Latin America.

In the latest campaign, researchers observed attackers targeting industries in logistics, machinery, automotive and civil and industrial construction in Mexico. In Spain, attackers are focused on targeting chemical manufacturing industries.

"Grandoreiro is written in Delphi and utilizes techniques like binary padding to inflate binaries, Captcha implementation for sandbox evasion, and command-and-control (CnC) communication using patterns that are identical to LatentBot," researchers say.

Attack Techniques

The campaign begins with a spear-phishing email written in Spanish, and the email consists of an embedded link that redirects the victim to a website that further downloads a malicious ZIP archive on the victim's machine.

This archive is bundled with the Grandoreiro Trojan that disguises itself as a PDF Icon to further lure victims into the execution, which leads to the downloading, extracting and executing final 400MB "Grandoreiro" payload from a remote HFS server.

Researchers observed two separate types of phishing emails used in this specific campaign.

In the first campaign, they found that the first set of phishing emails observed were those in which the threat actors impersonated the government officials and instructed victims to download and share the Provisional Archiving Resolution.

Here the threat actors posed as the current Attorney General of Mexico "Alejandro Gertz Manero," and the subject space and the signature area were displayed the Attorney General's Office "Fiscalia General de Justicia" to make it look genuine.

In addition, the email notifies the victims about the Provisional Archiving Resolution and directs users to download and share the Resolution before a specified date, after which the payment would not be refunded.

Once a victim clicks on the link provided in the phishing email, they are redirected to a malicious domain: http[:]//barusgorlerat[.]me, and then downloads a ZIP file from the remote server consisting of the Grandoreiro Loader.

Whereas, another lure used "Alejandra Solano - from the Public Ministry - Early Decision and Litigation Section" and asked the victim to download and share the Provisional Archiving Resolution, where the embedded link redirected users to another domain: http[:]//damacenapirescontab[.]com. Here the subject line was used as, "Notificación del Ministerio Público."

In the second set of phishing emails, researchers observed the use of lures such as "Cancellation of Mortgage Loan and Deposit Voucher Slip." Researchers observed the email content to be luring victims about the cancellation of a mortgage loan, in which the threat actors asked victims' to download a mortgage cancellation form by opening the embedded link.

"Once the link is opened it redirects to the malicious domain: http[:]//assesorattlas[.]me which then further downloads a ZIP File consisting of the Grandoreiro Loader," researchers say.

In all the phishing emails, researchers observed that the ZIP file extracts two files with extensions .exe and .xml files. In this .xml file is not an XML file but a portable executable with the original name "Extensions.dll." This file is signed with a valid "ASUSTEK COMPUTER INCORPORATION" certificate.

The other .exe file is the Grandoreiro Loader module that disguises itself as a PDF icon.

Once the Grandoreiro Trojan is installed in a victim device, it has backdoor capabilities to perform espionage.

Some of the key capabilities include keylogging, auto-update for newer versions and modules, web-Injects and restricting access to specific websites, command execution, manipulating windows, guiding the victim's browser to a certain URL and imitating mouse and keyboard movements.

"We came across another ongoing Grandoreiro campaign with an extra anti-sandbox technique used by the malware authors. This technique requires a Captcha to be filled manually to execute the malware in the victim's machine. The malware is not executed until or unless the Captcha is filled," researchers say.

Previous Campaign

In a previous campaign tracked by Kaspersky, researchers found that the malware was initially targeting victims in Brazil, Mexico, Spain and Portugal, although it's possible that it has spread to other countries as well.

Kaspersky said that the Trojan is not connected with a specific group or operator and has been offered as a service model for other cybercriminals and fraudsters to rent.

In addition to spreading via spear-phishing attacks, Grandoreiro is hidden in compromised websites. It also hides its communications with the command-and-control server through legitimate third-party websites to help it evade security tools, according to Kaspersky.

"Brazilian crooks are rapidly creating an ecosystem of affiliates, recruiting cybercriminals to work within other countries, adopting MaaS [malware-as-a-service] and quickly adding new techniques to their malware as a way to keep it relevant and financially attractive to their partners," the report said.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent, ISMG

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.