A new campaign aimed at delivering the Grandoreiro banking trojan has targeted organisations in the Spanish-speaking countries of Mexico and Spain.
"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler said in a report.
The ongoing attacks, which began in June 2022, have been observed to target the automotive, civil and industrial construction, logistics, and machinery sectors in Mexico and the chemicals manufacturing industries in Spain via multiple infection chains.
The attack chain involves using spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive from which a loader disguised as a PDF document is extracted to trigger the execution.
To activate the infections, the phishing messages prominently incorporate themes revolving around payment refunds, litigation notifications, mortgage loan cancellation, and deposit vouchers.
"This [loader] is responsible for downloading, extracting and executing the final 400MB 'Grandoreiro' payload from a Remote HFS server which further communicates with the [command-and-control] Server using traffic identical to LatentBot," Zscaler researcher Niraj Shivtarkar said.
The loader is also intended to collect system information, retrieve a list of installed antivirus solutions, cryptocurrency wallets, banking, and mail apps, and then exfiltrate the data to a remote server.
Grandoreiro is a modular backdoor with a plethora of functionalities that enable it to record keystrokes, execute arbitrary commands, mimic mouse and keyboard movements, restrict access to specific websites, auto-update itself, and establish persistence via a Windows Registry change. It has been observed in the wild for at least six years.
Furthermore, the malware is written in Delphi and employs techniques such as binary padding to increase binary size by 200MB, CAPTCHA implementation for sandbox evasion, and C2 communication through subdomains generated by a domain generation algorithm (DGA).
The CAPTCHA technique, in specific, necessitates the victim to manually complete the challenge-response test in order to execute the malware in the compromised machine, implying that the implant is not executed unless and until the CAPTCHA is solved.
According to the findings, Grandoreiro is constantly evolving into sophisticated malware with novel anti-analysis characteristics, granting the attackers full remote access and posing significant threats to employees and their organisations.
The information comes just over a year after Spanish authorities apprehended 16 members of a criminal network in connection with the operation of Mekotio and Grandoreiro in July 2021.
