Hola Espana: 'Grandoreiro' Trojan Targets Global Banking Customers

The Brazilian banking malware known as "Grandoreiro" has crossed the pond, with a new campaign from TA2725 targeting customers in Spain, as well as Brazil and Mexico. 

Dark Web activity in Latin America has surged in the last two years, and it's largely concentrated in two countries. According to SOCRadar, 360 billion attempted cyberattacks peppered the region in 2022, with 187 billion and 103 billion affecting Mexico and Brazil, respectively.

Now there's increasing evidence that Latin American cybercrime is extending outwards.

Proofpoint has tracked TA2725 since March 2022. It's been known to hide bank account and credit card-sniffing malware inside of phishing emails, primarily directed to organizations either in its home country or Mexico. And according to a new blog post by Jared Peck, senior threat researcher at Proofpoint, the group has recently upgraded its signature malware to include institutions on both sides of the Atlantic.

Brazilian Malware in Spain

Grandoreiro attacks begin with a malicious URL in a phishing email. Lures may come in the form of a fake shared document, utility bill, tax form, etc. The URL leads to a ZIP file containing a loader which, when run, downloads a legitimate but vulnerable application. The application is exploited with some DLL sideloading, and then comes the final payload.

Grandoreiro can harvest data via a keylogger, screen grabber, or an old-fashioned overlay on top of an online banking login page. These overlays mimic popular Brazilian and Mexican banks plus, in two campaigns observed late in August, banks located in Spain. (TA2725's phishing lures were also diversified, to mimic Spain-based organizations.)

This isn't the first time Brazilian Trojans have spanned the Atlantic. Earlier this year, for example, threat actors pulled a reverse Pedro Cabal, subjugating Portuguese bank customers in a campaign called "Operation Magalenha." This latest activity only furthers an emerging trend — that Brazilian malware is no longer contained to one continent.

Why Brazilian Cybercrime Is Having a Moment

Where once they seemed solely the domain of the northern hemisphere, banking trojans have thrived in Brazil in recent years. According to Peck, there are a few reasons why.

"The general population in many parts of the world, like Brazil and other parts of South America and Latin America, may not have been afforded the same access to cybersecurity education and protection technology as other parts of the world, but continue to grow their online presence. This situation leads to a lack of user awareness around phishing and malware threats, which, in turn, leads to a higher number of victims who click and are affected," he explains, adding that "this general population is upwardly mobile, leading to a larger middle class, so there is more opportunity to victimize a larger pool of a population."

According to Proofpoint, the most common malware families — including Grandoreiro but also, Casabeniero, Javali, and Mekotio — possess a shared lineage: a Delphi-based ancestor from which source code components have been passed down and modified through generations.

Organizations in affected countries can look out for suspicious programs with these same elements. Or, as Peck emphasizes, they can focus on the human side of such compromises.

"Today's cyber threats rely on human interaction, not just technical exploits, so it is essential that organizations incorporate localized user security awareness training on identifying malicious phishing and threat actor tactics, techniques, and procedures while also empowering users to feel comfortable reporting their suspicions even after they may have fallen victim to an attack," he advises.