Grandoreiro Trojan Resurges in Phishing Attacks

Cybercriminals are actively distributing the Grandoreiro banking trojan through large-scale phishing campaigns, primarily targeting banking users in Latin America and Europe. According to a report by Forcepoint X-Labs, this resurgence involves the use of advanced techniques to evade detection and maximize impact.

The report highlights a specific campaign targeting users in Mexico, Argentina, and Spain. In this campaign, attackers send fraudulent emails, often in Spanish, impersonating tax agencies. These emails contain urgent tax penalty warnings to induce victims to click on malicious links.

A key element of this attack is the use of legitimate hosting services to distribute the malware. The malicious links within the phishing emails direct users to VPS or dedicated servers hosted on Contabo’s infrastructure. The report notes that “attackers send fraudulent government emails embedded with malicious links to well-known legitimate hosting services provider Contabo.”

Upon clicking the link, victims are tricked into downloading a ZIP archive. This archive contains an obfuscated Visual Basic script and a disguised EXE payload, both designed to steal user credentials. The VBS script is heavily obfuscated, containing “a lot of unwanted characters ‘:’ used for obfuscation” and an embedded ZIP file in base64 format.

The attackers employ several evasion techniques to bypass security measures:

• Dynamic URLs: The subdomains used in the Contabo server URLs change frequently (e.g., vmi\d{7}.contaboserver.net) to evade detection.
• File Obfuscation: The VBS scripts are heavily obfuscated to make analysis and detection more difficult.
• Social Engineering: The phishing emails use social engineering tactics, such as creating a sense of urgency with tax penalty warnings, to deceive users.
• Legitimate Services: The attackers abuse legitimate services like Contabo and Mediafire to host and deliver malware, making it appear less suspicious.

The final payload is a Delphi-based EXE file. When executed, it may display a fake Adobe Acrobat Reader error prompt. In the background, the malware performs malicious actions, including:

• Establishing connections with command-and-control (C2) servers.
• Searching for Bitcoin wallet directories.
• Stealing user credentials.
• Collecting system information.

The Forcepoint X-Labs report confirms that “Cybercriminals are spreading the Grandoreiro banking trojan in Mexico, Argentina and Spain through phishing emails impersonating a tax agency.” The report emphasizes the attackers’ use of Contabo-hosted servers, obfuscation techniques, and social engineering to effectively distribute the malware. To defend against these threats, users are advised to exercise caution with unsolicited emails and employ robust cybersecurity tools.

Related Posts:

• 1,700 Banks, 45 Countries: Grandoreiro Trojan Expands its Reach
• Brazilian Banking Malware Targets Spain: An Emerging Cyber Threat Landscape
• Cybercriminals Target LatAm Banks: Mekotio, BBTok Lead the Charge
• India: Major banks suspended major Bitcoin exchanges
• Cryptocurrency exchange is facing closure in South Korea