Cybersecurity experts at Proofpoint have identified a new variant of the Grandoreiro malware, previously known for targeting victims in Brazil and Mexico. This latest version of Grandoreiro, attributed to the threat actor TA2725, has expanded its reach to target banks in Spain as well.
Writing in an advisory published today, the researchers said they recently noticed an unusual increase in the frequency and volume of malicious activity targeting Spain, a departure from the malware’s traditional focus on Portuguese and Spanish speakers in the Americas.
According to Proofpoint, Brazil is among the most highly targeted countries for information stealers and other malware. Its widespread use of online banking provides opportunities for threat actors to exploit unsuspecting victims.
“The Brazilian cyber threat landscape has changed rapidly over the last several years, becoming more complicated and diverse,” explained Proofpoint researcher Jared Peck. “More people than ever are online in the country, meaning the potential victim base has increased.”
The Grandoreiro malware family, commonly written in Delphi, has been active for years, with various strains like Javali, Casabeniero, Mekotio and Grandoreiro itself. The malware is capable of data theft through keyloggers and screen-grabbers and can steal bank login information from overlays on banking websites. Typically delivered via email lures, it executes a malicious file that contacts a command-and-control (C2) server.
Read more on Grandoreiro: Researchers Spot Banking Trojan Using #COVID19 Crisis to Attack Users
Until recently, Grandoreiro had primarily targeted banks in Brazil and Mexico. However, recent campaigns revealed that the malware’s bank credential-stealing overlays have expanded to include banks in Spain. This means that TA2725 can now simultaneously target victims in both Spain and Mexico without modifying the malware.
TA2725, known for using Brazilian banking malware and phishing, has been observed targeting credentials for banks in Brazil and Mexico, along with consumer credentials and payment information for Netflix and Amazon accounts.
“Given the rapid malware development and tenacity of threat actors in Latin America and South America, we expect to see an increase in targets of opportunity outside that region who share a common language,” Peck wrote in the advisory.
“As the global supply chain continues to evolve and rely on suppliers around the world, the targeting of organizations outside of a company’s normal service region will continue to be an increasing threat to all organizations worldwide.”