A notorious banking Trojan, Grandoreiro, which has been a persistent threat since 2016, is once again drawing attention. This malware has launched new attacks on banks in Portugal and firms in Spain, Mexico, and the broader Latin American region.
Despite significant efforts by INTERPOL and local law enforcement to dismantle the cybercriminal network in 2021 and 2024, only part of the organization was subdued. This recent resurgence demonstrates that the threat remains active and dangerous.
Recent Campaigns of Grandoreiro
According to a report by WatchGuard, the malicious operations employ two primary techniques: DLL Side-Loading and a malicious VBS script. These methods begin with phishing attacks that lure victims into clicking harmful links, leading to malware infiltration.
Phishing serves as the initial point of contact, with attackers utilizing cloud platforms like Google Cloud, Microsoft Azure, and Amazon to mask their activities. This strategy allows them to blend malicious actions with regular network traffic, complicating detection efforts.
Technical Analysis of the Malware
The malware’s technical execution involves the use of DLL Side-Loading, where seemingly legitimate DLL files such as libwebp.dll and mingw10.dll are used to deliver the Trojan. These files connect to various cloud services, disguising harmful operations as routine web conferencing data.
Additional anti-analysis measures are integrated into the code, including checks for debugging tools and virtual environments, to evade security assessments. The malware’s design even includes Chinese script strings, indicating diverse development influences.
VBS Script and Geofencing Tactics
The second campaign variant employs a deceptive web page hosted on Contabo servers, visible only in certain regions. This page leads to a Mediafire-hosted file that executes a heavily obfuscated VBS script, installing the malware on the target system.
Once active, the malware displays a fake Adobe Reader update to distract users while it performs malicious activities like credential theft and keylogging. This approach highlights sophisticated social engineering tactics aimed at compromising user security.
WatchGuard’s experts advise enhanced security measures beyond basic email and endpoint protections. They emphasize the importance of layered, behavior-based detection systems to address the evolving sophistication of threats like Grandoreiro.
The persistent nature of Grandoreiro and its advanced techniques underscore the ongoing challenges in cybersecurity. As this threat continues to adapt, organizations must remain vigilant in their security strategies to safeguard against potential financial losses.
