TA2725’s Grandoreiro Banking Malware Expands to Spain and Mexico

Researchers at Proofpoint have been monitoring instances of malicious activity linked to banking malware in Brazil and neighboring countries for some time. More recently, they’ve noticed an uptick in multiple threat clusters targeting Spain.

These clusters, which usually focus on Portuguese and Spanish-speaking individuals in Brazil, Mexico, and other parts of the Americas, have been appearing more frequently in Spain, deviating from their typical pattern.

The cyber threat landscape in Brazil has rapidly evolved in recent years, becoming more intricate and diverse. With a growing number of people in the country going online, the pool of potential victims has expanded.

Reports from third-party sources indicate that Brazil is one of the top targets for information stealers and various malware. The widespread adoption of online banking in Brazil also provides opportunities for threat actors to manipulate individuals eager to perform financial transactions online.

Banking malware in Brazil comes in various forms, but according to Proofpoint’s observations, many of them seem to share a common root, written in Delphi, with source code that has been reused and modified over the years. This foundational malware has given rise to numerous Brazilian malware strains, including Javali, Casabeniero, Mekotio, and Grandoreiro.

Some of these strains, like Grandoreiro, are still actively being developed and can steal data through keyloggers and screen-grabbers, as well as capture bank login details through overlays when infected victims visit specified banking websites targeted by the threat actors.

Based on recent telemetry from Proofpoint, Grandoreiro typically starts its attack chain with a URL in an email. The email may contain various lures, such as shared documents, payment confirmations, tax forms, and utility bills.

Fig 2.1
Credit: Proofpoint – Example of TA2725 targeting of victims in Spain in August and September by spoofing ÉSECÈ Group, a Spanish manufacturing company.

When a victim clicks on the URL, they download a zip file containing the loader, typically an MSI, HTA, or exe file. If the victim runs the loader, it injects malicious behavior into a legitimate but vulnerable program within the zip file. This loader then downloads and runs the final Grandoreiro payload and connects with a command and control (C2) server.

Previously, Grandoreiro overlays have targeted bank customers in Brazil and Mexico. However, recent campaigns show that this capability has expanded to include banks in Spain. Two campaigns attributed to TA2725, which occurred in late August 2023, used the same infrastructure and payload to target both Mexico and Spain simultaneously.

This means that Grandoreiro overlays now encompass banks in both Spain and Mexico within the same version, allowing threat actors to target victims in multiple geographic regions without altering the malware.

Threat actors from the Americas have previously targeted Spanish organizations, but they often used more generic malware or phishing campaigns tailored specifically for Spain.

Due to the rapid evolution of malware and the persistence of threat actors in Latin America and South America, it is anticipated that targets of opportunity beyond these regions that share a common language will continue to increase.