Elain Brown Tech 08.19.2022 23:Aug PM EDT

Grandoreiro Banking Trojan: What You Should Know About the Malware Targeting Manufacturers in Mexico, Spain

Grandoreiro, a malware known as a banking trojan, is yet again on the loose, attacking workers from Spain and Mexico.

This type of malware has been existing in the wild since 20217. Even to this day, it continues to be a significant threat to the Spanish-speaking nations.

Security researchers at Zscaler were the first to detect this new campaign in June 2022 using the banking trojan, which is unfortunately ongoing.

It entails the use of Grandoreiro malware that has been updated to include several new features to avoid detection and anti-analysis, in addition to a redesigned command and control system.

Grandoreiro Attack

The banking malware known as Grandoreiro has been observed in recent attacks again. According to Zscaler's ThreatLabz, it discovered a campaign called Grandoreiro that specifically targets companies in Spain and Mexico.

The banking trojan targets companies that are involved in specific industries such as automotives, logistics, machinery, chemical manufacturing, civil and industrial construction, and fleet management services.

The infection chain that the threat actors are utilizing in this campaign is quite identical to the infection chains utilized in earlier Grandoreiro efforts in their previous campaigns. The attack starts with an email containing spear phishing text that is written in Spanish.

In this attack, the malicious actors send a phishing email to targeted victims and lure them in by pretending to be a government employee from the Public Ministry or the Attorney General's Office of Mexico City.

The actors will deploy procedures in order to force the victims to download and execute a file or a link that contains the Grandoreiro malware.

The Grandoreiro malware was developed in Delphi and employs strategies such as binary padding to inflate binaries, the implementation of Captcha for sandbox evasion, and command-and-control (CnC) communication utilizing patterns that are identical to those used by LatentBot.

Grandoreiro Email Attach

The Grandoreiro's infection chain begins with an email pretending to have originated from the Attorney General's Office of Mexico City or the Spanish Public Ministry.

According to BleepingComputer, the messages contained in email contain serious legal queries such as cancellation of mortgage loans, notices of litigation changes, state refunds, and more.

The message comprises a link that, when clicked, takes the recipient to a website that downloads a ZIP file. This file is an attempt to mislead the victim into opening the Grandoreiro loader module by disguising itself as a PDF file and enclosing it within itself.

BleepingComputer states, "Once this happens, a Delphi payload is fetched from a remote HTTP file server ("https://15[.]188[.]63[.]127:36992/zxeTYhO.xml") in the form of a compressed 9.2MB ZIP and is extracted and executed by the loader."

After that, the loader will collect information about the system, retrieve a list of installed antivirus programs, cryptocurrency wallets, and online banking applications, and then send that list to the C2.

In order to circumvent sandbox analysis, the final payload, which was signed with a certificate that had been stolen from ASUSTEK, assumed an inflated size of 400MB by using the method of "binary padding."

Not in all cases, but Grandoreiro goes so far as to ask the victim to solve a CAPTCHA in order for the system to run. This is another attempt to avoid being analyzed.

In conclusion, persistence is kept between reboots by adding two new registry keys that configure Grandoreiro to launch at the beginning of each operating system session.

The most recent campaign provides evidence that the operators behind Grandoreiro are interested in carrying out highly targeted attacks rather than sending high quantities of spam emails to recipients chosen at random.

Since the operators of Grandoreiro have, in the past, demonstrated that they are motivated by financial concerns, it is presumed that the situation has not changed.