Grandoreiro Malware Targets Banks in Spain: Cybersecurity Experts Warn of New Threat
A new variant of the Grandoreiro malware, previously known for its attacks on victims in Brazil and Mexico, has recently been identified by cybersecurity experts at Proofpoint. This latest version of Grandoreiro, attributed to the threat actor TA2725, has expanded its reach to target banks in Spain as well.
Increased Activity in Spain
In a recent advisory, Proofpoint researchers noted a significant increase in malicious activity targeting Spain, a country not typically targeted by this malware. This marks a departure from Grandoreiro’s usual focus on Portuguese and Spanish speakers in the Americas.
Brazil, one of the most highly targeted countries for information stealers and malware, has been a primary focus for Grandoreiro due to its widespread use of online banking, providing ample opportunities for threat actors to exploit unsuspecting victims.
Evolution of the Threat Landscape
According to Jared Peck, a researcher at Proofpoint, the Brazilian cyber threat landscape has evolved rapidly in recent years, becoming more complex and diverse. The increasing number of online users in the country has expanded the potential victim base for cybercriminals.
The Grandoreiro malware family, typically written in Delphi, has been active for years, with various strains like Javali, Casabeniero, Mekotio, and Grandoreiro itself. This malware is capable of data theft through keyloggers and screen-grabbers, targeting bank login information through overlays on banking websites.
Expanding Target List
While Grandoreiro has historically focused on banks in Brazil and Mexico, recent campaigns have shown that the malware’s bank credential-stealing overlays now include banks in Spain as well. This expansion allows TA2725 to target victims in both Spain and Mexico simultaneously without modifying the malware.
TA2725, known for using Brazilian banking malware and phishing techniques, targets credentials for banks in Brazil and Mexico, as well as consumer credentials and payment information for popular accounts like Netflix and Amazon.
Global Impact
As cyber threats continue to evolve globally, organizations outside of Latin America and South America are at risk of being targeted by threat actors who share a common language. The interconnected nature of the global supply chain means that organizations worldwide are vulnerable to attacks from cybercriminals operating in different regions.
As cybersecurity experts remain vigilant against the ever-changing threat landscape, it is crucial for organizations to implement robust security measures to protect against malware like Grandoreiro and safeguard sensitive information from falling into the hands of cybercriminals.