The Grandoreiro banking trojan has reemerged in fresh phishing campaigns targeting users in Latin America and Europe, cybersecurity firm Forcepoint reports.
Active since at least 2016, the trojan initially operated in Brazil only, but started targeting Mexico, Portugal, and Spain in a series of attacks observed roughly half a decade ago.
Believed to be operating under a malware-as-a-service (MaaS) business model, part of the Tetrade umbrella, it appears to have survived law enforcement takedown attempts in 2021 and 2024, and the arrest of several of its operators.
In early 2024, Grandoreiro was seen targeting over 1,500 banking applications and websites in more than 60 countries, impersonating Argentinian, Mexican, and South African government entities.
By the fourth quarter of the year, it was targeting 1,700 banks and 276 crypto wallets, adding Asia to its list of targets and becoming a truly global financial threat.
More recently, Forcepoint observed phishing campaigns in which the banking trojan is impersonating tax agencies to steal funds from users in Argentina, Mexico, and Spain, relying on malicious links to the legitimate hosting services provider Contabo.
Victims are served an obfuscated Visual Basic script, along with a disguised Delphi-based executable meant to steal their credentials, with encrypted or password-secured compressed files used to evade detection.
The phishing emails, which leverage the OVHcloud cloud infrastructure, pretend to be tax penalty warnings and, under the disguise of a PDF document, fetch a payload from the file-sharing service Mediafire.
“Once executed, the malware steals credentials, searches for Bitcoin wallet directories, and connects to a [command-and-control] server. Attackers frequently change subdomains under contaboserver[.]net to evade detection. Users should stay cautious, avoid unknown emails, and use cybersecurity tools to protect against these threats,” Forcepoint notes.
Related: Browser Security Under Siege: The Alarming Rise of AI-Powered Phishing
Related: Scareware Combined With Phishing in Attacks Targeting macOS Users
Related: ‘DroidBot’ Android Trojan Targets Banking, Cryptocurrency Applications
Related: iOS Trojan Collects Face and Other Data for Bank Account Hacking
