It was discovered that the infamous “Grandoreiro” banking trojan was used in recent attacks on employees of a chemicals company in Spain and employees of car and machinery businesses in Mexico. The malware continues to be one of the worst dangers of its kind for Spanish-speaking users, having been active in the wild at least since 2017.

Zscaler researchers first became aware of the current effort in June 2022, and it is still going strong today. The use of a Grandoreiro malware strain with upgraded C2 capability and a number of extra features to avoid detection and anti-analysis is involved. Depending on the victim, the infection chain begins with an email that claims to be from the Mexican Attorney General’s Office or the Spanish Public Ministry.

Mortgage loan terminations, lawsuit change letters, and state reimbursements are among the topics of communication. An email from the most recent phishing campaign (Zscaler). A ZIP archive is put into a website by means of a link in the email that takes recipients there. To trick the victim into activating the Grandoreiro loader module it contains, this PDF file was presented.

Following that, the loader downloads, extracts, and executes a 9.2MB ZIP file containing a Delphi payload from a remote HTTP file server (“http://15[.]188[.]63[.]127:36992/zxeTYhO.xml”). The loader gathers system data at that phase and sends it, along with a list of installed antivirus programs, cryptocurrency wallets, and e-banking applications, to the C2.

The final payload is certified using a certificate that was stolen from ASUSTEK and employs “binary padding” to inflate its size to 400MB in order to avoid sandbox examination.
the seal on the certificate for the final payload (Zscaler)

Grandoreiro once went so far as to need the victim to complete a CAPTCHA in order for the attack to be identified, as security analyst Ankit Anubhav pointed out on Twitter.
With the addition of two new Registry keys, Grandoreiro is finally ready to run at system startup and preserve persistence over reboots.

The most recent campaign demonstrates that the operators of Grandoreiro favor carrying out highly targeted attacks over sending out bulk spam to unexpected recipients. The malware’s continued evolution provides it with better anti-analysis and detection avoidance properties, laying the groundwork for stealthier activities.

The particular goals of the current campaign are not covered in great length in Zscaler’s report, but Grandoreiro’s operators have regularly displayed financial reasons, thus it is anticipated that nothing has changed.

The post The infamous “Grandoreiro” banking trojan used in recent attacks on employees of a chemicals company in Spain appeared first on The Tech Outlook.