Cyber security experts at Proofpoint have identified a new variant of the Grandoreiro malware, previously known for the aiming of victims in Brazil and Mexico. This latest version of Grandoreiro, attributed to the threat actor TA2725, has also expanded its reach with goal banks in Spain.
Writing in an advice published today, the researchers said they recently noticed an unusual increase in frequency and volume of malignant activities in Spain, a deviation from the traditional focus of the malware on Portuguese and Spanish speakers in America.
According to Proofpoint, Brazil is one of the most targeted countries for information balers and other malware. The widespread use of online banking offers threat factors opportunities to exploit unsuspecting victims.
“The landscape of Brazilian cyber threats has changed rapidly in recent years and has become increasingly complicated and more diverse,” explains Proofpoint researcher Jared Peck. “More people than ever are online in the country, which means that the potential victim base has increased.”
The Grandoreiro -Malware family, usually written in Delphi, has been active for years, with different tribes such as Javali, Casabeniero, Mekotio and Grandoreiro itself. The malware is able to steal data theft by Keyloggers and Schipgrijps and can steal bank information from overlays on bank websites. Usually delivered via e-mail, it performs a malicious file that contacts a command-and-control (C2) server.
Read more about Grandoreiro: Researchers spot Banking Trojan using #Covid19 Crisis to attack users
Until recently, Grandoreiro was primarily aimed at benches in Brazil and Mexico. Recent campaigns, however, showed that the overays of the malware the bank in the bank have been expanded with banks in Spain. This means that TA2725 can now target victims in both Spain and Mexico at the same time without changing the malware.
TA2725, known for the use of Brazilian bank malware and phishing, has been observed on references for banks in Brazil and Mexico, together with consumer references and payment information for Netflix and Amazon accounts.
“Given the rapid development of malware and tenacity of threat actors in Latin -America and South America, we expect an increase in opportunities of opportunities outside that region that share a common language,” Peck wrote in the advice.
“While the global Supply Chain continues to evolve and trust suppliers around the world, the aiming of organizations outside the normal service area of a company continues to increases an increasing threat to all organizations worldwide.”