The Grandoreiro banking trojan, which has been targeting financial institutions and users across Latin America, is expanding globally.
It presents as sophisticated phishing campaigns impersonating government tax agencies and law enforcement, with geofencing ensuring that the delivery is to specific regions.
The active Grandoreiro banking trojan campaigns represent a significant threat to financial institutions and individual users, according to Samantha Clarke, Mimecast senior threat research engineer and the Mimecast Threat Research team.
Grandoreiro is a well-known Brazilian banking trojan that has been active since 2016 and enables threat actors to perform fraudulent banking transactions. This sophisticated malware has evolved into a global threat, with recent campaigns expanding beyond its traditional Latin American focus to target users in Europe and Africa.
The actors employ sophisticated phishing campaigns that impersonate legitimate government entities, particularly tax agencies and law enforcement bodies. They use this approach to trick users into downloading malicious files. This social engineering approach leverages the inherent trust users place in official government communications to achieve high success rates in credential harvesting and malware deployment.
Recent Grandoreiro campaigns have demonstrated sophisticated understanding of regional government structures and user behaviour patterns. Threat actors deploy region-specific social engineering tactics that align with local administrative processes and official communication channels, similar to techniques observed in other Latin American banking trojans.
The Grandoreiro campaign employs sophisticated geofencing techniques to ensure malicious content is only delivered to users in targeted countries.
The infrastructure utilises subdomains of contaboserver.net that are specifically configured to deny access to users outside the intended geographic regions, maximising infection rates while minimising exposure to security researchers.
This multi-layered approach ensures that the malware is only delivered to intended victims while evading automated security scanning systems.
The attack flow incorporates JavaScript functions that perform browser verification before delivering the next stage of the attack through a hosted PDF file, typically involving the download of a malicious ZIP file.
The payload will then execute an .EXE file which connects back to a C2 IP address hosted on AWS. Supporting elements to the main malicious webpage were observed during our investigation.
During Mimecast’s investigation process, the mailer panel used to send the phishing emails to their victims was discovered.
For non-Windows devices, redirection mechanisms are in place that prevent payload delivery, demonstrating the focus on Windows-based environments where the malware can achieve maximum effectiveness. For non-windows based devices the message states “This content is available exclusively for devices that operate on the Windows system, such as laptops and computers”.