Search This Blog

Showing posts with label Campaign. Show all posts

Spanish Banking Trojan Attacks Various Industry Verticals


A new campaign aimed at delivering the Grandoreiro banking trojan has targeted organisations in the Spanish-speaking countries of Mexico and Spain. 

"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler said in a report.

The ongoing attacks, which began in June 2022, have been observed to target the automotive, civil and industrial construction, logistics, and machinery sectors in Mexico and the chemicals manufacturing industries in Spain via multiple infection chains. 

The attack chain involves using spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive from which a loader disguised as a PDF document is extracted to trigger the execution. To activate the infections, the phishing messages prominently incorporate themes revolving around payment refunds, litigation notifications, mortgage loan cancellation, and deposit vouchers.

"This [loader] is responsible for downloading, extracting and executing the final 400MB 'Grandoreiro' payload from a Remote HFS server which further communicates with the [command-and-control] Server using traffic identical to LatentBot," Zscaler researcher Niraj Shivtarkar said.

The loader is also intended to collect system information, retrieve a list of installed antivirus solutions, cryptocurrency wallets, banking, and mail apps, and then exfiltrate the data to a remote server.

Grandoreiro is a modular backdoor with a plethora of functionalities that enable it to record keystrokes, execute arbitrary commands, mimic mouse and keyboard movements, restrict access to specific websites, auto-update itself, and establish persistence via a Windows Registry change. It has been observed in the wild for at least six years.

Furthermore, the malware is written in Delphi and employs techniques such as binary padding to increase binary size by 200MB, CAPTCHA implementation for sandbox evasion, and C2 communication through subdomains generated by a domain generation algorithm (DGA).

The CAPTCHA technique, in specific, necessitates the victim to manually complete the challenge-response test in order to execute the malware in the compromised machine, implying that the implant is not executed unless and until the CAPTCHA is solved.

According to the findings, Grandoreiro is constantly evolving into sophisticated malware with novel anti-analysis characteristics, granting the attackers full remote access and posing significant threats to employees and their organisations.

The information comes just over a year after Spanish authorities apprehended 16 members of a criminal network in connection with the operation of Mekotio and Grandoreiro in July 2021.

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers


The notorious 'Grandoreiro' banking trojan was discovered in recent attacks targeting employees of a chemicals manufacturer in Spain and automotive and machinery manufacturers in Mexico. The malware has been active in the wild since at least 2017 and continues to be one of the most serious threats to Spanish-speaking users. 

The most recent campaign, discovered by Zscaler analysts, began in June 2022 and is still ongoing. It entails the deployment of a Grandoreiro malware variant with several new anti-detection and anti-analysis features, as well as a redesigned C2 system.

The infection chain begins with an email purporting to be from the Mexican Attorney General's Office or the Spanish Public Ministry, depending on the target. The message's subject matter includes state refunds, notices of litigation changes, mortgage loan cancellations, and other items.

The email contains a link that takes recipients to a website where they can download a ZIP archive. That file contains the Grandoreiro loader module disguised as a PDF file in order to trick the victim into running it. Once this occurs, the loader retrieves a Delphi payload in the form of a compressed 9.2MB ZIP file from a remote HTTP file server ("http://15[.]188[.]63[.]127:36992/zxeTYhO.xml") and extracts and executes it.

The loader gathers system information, retrieves a list of installed antivirus programmes, cryptocurrency wallets, and e-banking apps, and sends it to the C2. To avoid sandbox analysis, the final payload is signed with a certificate stolen from ASUSTEK and has an inflated size of 400MB thanks to "binary padding."

In one case, as security analyst Ankit Anubhav pointed out on Twitter, Grandoreiro even asks the victim to solve a CAPTCHA to run on the system, which is yet another attempt to avoid detection. Finally, Grandoreiro is made persistent between reboots by adding two new Registry keys and setting it to launch at system startup.

Grandoreiro features

One of the new features in the latest Grandoreiro variant sampled by Zscaler is the use of DGA (domain generation algorithm) for C2 communications, which makes mapping and taking down the malware's infrastructure difficult.

The C2 communication pattern is now the same as LatentBot's, with "ACTION+HELLO" beacons and ID-based cookie value responses. The similarities between the two malware strains were discovered by Portuguese cybersecurity blogger Pedro Taveres in 2020, but the C2 communication techniques were only recently incorporated into Grandoreiro's code.

The malware on the host has the following backdoor capabilities:
  • Keylogging
  • Auto-Updation for newer versions and modules
  • Web-Injects and restricting access to specific websites
  • Command execution
  • Manipulating windows
  • Guiding the victim's browser to a specific URL
  • C2 Domain Generation via DGA (Domain Generation Algorithm)
  • Imitating mouse and keyboard movements

The recent campaign suggests that Grandoreiro's operators prefer to carry out highly targeted attacks rather than send large volumes of spam emails to random recipients.

Furthermore, the malware's continuous evolution, which provides it with stronger anti-analysis and detection avoidance features, lays the groundwork for stealthier operations. While Zscaler's report does not go into detail about the current campaign's objectives, Grandoreiro's operators have previously demonstrated financial motivations, so the case is assumed to be the same.

Bitter APT and Transparent Tribe Campaigns on Social Media


Facebook's parent company, Meta, has recently shut down two cyberespionage efforts on its social networking networks. Bitter APT and Transparent Tribe threat groups were behind these campaigns. Both groups have been based in South Asia.

About Bitter APT:

The first group discovered was Bitter APT or T-APT-17, which targeted firms in the government, engineering, and energy industries. The group used social engineering against targets in India, the United Kingdom, New Zealand, and Pakistan.

To install malware on target devices, it exploited a combination of hijacked websites, URL shortening services, and third-party file hosting companies. To interact with and fool their victims, the hackers impersonated activists, journalists, and young women. Bitter also utilised Dracarys, a new Android malware that exploits accessibility services.

Transparent Tribe

Transparent Tribe, also known as APT36, is less complex than Bitter APT. It employs social engineering techniques as well as widely available malware. Its most recent campaign targeted citizens in India, Pakistan, Afghanistan, Saudi Arabia, and the United Arab Emirates. 

Human rights advocates and military officials were the primary targets of the campaign. The hackers pretended to be recruiters for bogus and real firms, as well as young ladies and military personnel.

In conclusion

Social media has become a playground for cybercriminals of all sorts. Cyberspies utilise these platforms to gather intelligence and lure victims to external sites where malware may be downloaded. As a result, users are advised to exercise caution while befriending strangers online.