Brazilian Banking Malware Targets Spain: An Emerging Cyber Threat Landscape

SquirtDanger

In the ever-evolving world of cyber threats, one particular banking malware has expanded its reach from Brazil and Mexico to Spain, highlighting the complexities of the current cyber landscape, according to Proofpoint researchers.

Historically, Brazil has been a hub for banking malware, thanks to its broad adoption of online banking. With an increasing number of Brazilians coming online, the country is among the top targets for information stealers and other malware. Threat actors, realizing the potential of a growing online user base, exploit vulnerabilities and engage in social engineering, targeting individuals eager to transact online.

Over the years, Brazilian banking malware has seen several iterations. But, interestingly, most of them can trace their roots back to a common Delphi-written ancestor, revealing a pattern of reusing and modifying source codes. This lineage has birthed multiple malware strains, notable among them being Javali, Casabeniero, Mekotio, and Grandoreiro. The latter, Grandoreiro, is particularly concerning as it’s not only in active development but also possesses capabilities to steal data through keyloggers screen-grabbers, and banking credentials from overlays when users access targeted banking sites.

SquirtDanger

Traditionally, Grandoreiro targeted bank customers in Brazil and Mexico. However, recent campaigns, especially those during August 2023, suggest an alarming trend. The malware has expanded its overlay capabilities to include banks in Spain. This transition is pivotal because the malware now can target multiple regions simultaneously without needing any modifications.

Adding a layer of complexity to the threat is TA2725, a threat actor tracked by Proofpoint since March 2022. Known for deploying Brazilian banking malware and phishing schemes, TA2725 mainly targets organizations in Brazil and Mexico. The modus operandi often involves redirecting users to a zip file hosted on legitimate cloud platforms like Amazon AWS, Google Cloud, or Microsoft Azure after a URL redirect from GoDaddy virtual hosting. They are known for stealing credentials not only from banks but also from popular platforms like Netflix and Amazon.

The expansion of Grandoreiro’s overlay capabilities to Spain signifies a significant shift. While Spain has been a previous target for threat actors from the Americas, they mostly relied on generic malware or region-specific phishing campaigns. The recent adaptation of Grandoreiro, which had primarily been Americas-centric, underscores the evolving strategies of cybercriminals and the increasing globalization of cyber threats.