Post

Resurgence of Grandoreiro Banking Trojan: New Phishing Campaigns Target Latin America and Europe

Resurgence of Grandoreiro Banking Trojan: New Phishing Campaigns Target Latin America and Europe

TL;DR

The Grandoreiro banking trojan has resurfaced, targeting users in Latin America and Europe through sophisticated phishing campaigns. These campaigns employ advanced techniques such as VPS hosting and obfuscation to evade detection, posing a significant threat to financial institutions and individuals.

Resurgence of Grandoreiro Banking Trojan

Forcepoint X-Labs researchers have issued a warning about new phishing campaigns targeting users in Latin America and Europe. The Grandoreiro banking trojan, active since 2016, initially targeted Brazil but has since expanded its reach to Mexico, Portugal, and Spain.

Capabilities of Grandoreiro

Grandoreiro is a modular backdoor with the following capabilities:

  • Keylogging
  • Auto-updation for newer versions and modules
  • Web-injects and restricting access to specific websites
  • Command execution
  • Manipulating windows
  • Guiding the victim’s browser to a certain URL
  • C2 Domain Generation via DGA (Domain Generation Algorithm)
  • Imitating mouse and keyboard movements

Phishing Campaigns and Tactics

Forcepoint reports that large-scale phishing campaigns use VPS hosting and obfuscation to evade detection. A recent Grandoreiro campaign targeted users in Mexico, Argentina, and Spain via phishing emails impersonating tax agencies. Attackers use Contabo-hosted links to deliver obfuscated Visual Basic scripts and disguised EXE payloads for credential theft. Encrypted or password-protected files are also employed to evade security detection.

Grandoreiro Phishing Email

The phishing emails contain malicious links that redirect users to VPS or dedicated servers hosted on Contabo, with subdomains like vmi\d{7}[.]contaboserver[.]net. Clicking the “Download PDF” button leads to a zip payload from MediaFire. These subdomains change with each campaign, linked to specific virtual machines or servers on Contabo’s network.

Technical Details

Clicking the “Download PDF” button triggers a JavaScript function that checks the browser and platform, then retrieves a Mediafire URL from a PHP file to download a .zip file. The .zip often contains a password-protected, obfuscated VBS script. This script decodes a base64 stream, drops an EXE file in the system directory, and executes it using Wscript.shell.

The extracted 32-bit EXE file, compiled with Delphi, masquerades as a PDF and triggers an Acrobat Reader error. Upon user interaction, it connects to a C2 server (18.212.216.95) and searches for personal data, including Bitcoin files, system GUID, computer name, and language settings. The malware uses a custom URI Client and unusual port numbers to communicate with the server.

“The attack involves malicious ZIP files containing obfuscated VBS scripts that drop a Delphi-based EXE. Once executed, the malware steals credentials, searches for Bitcoin wallet directories, and connects to a C2 server. Attackers frequently change subdomains under contaboserver[.]net to evade detection,” concludes the report that includes Indicators of Compromise (IoCs).

Conclusion

The resurgence of the Grandoreiro banking trojan highlights the ongoing threat of sophisticated phishing campaigns. Users and organizations must remain vigilant and implement robust security measures to protect against such attacks. For more details, visit the full article: source.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

SecurityAffairs – hacking, malware

Additional Resources

For further insights, check:

This post is licensed under CC BY 4.0 by the author.