June 4, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Facebook Messenger Leveraged by Kimsuky APT in Targeted Malware Campaign – Active IOCs
May 20, 2024
Multiple Microsoft Windows Products Vulnerabilities
May 20, 2024
Facebook Messenger Leveraged by Kimsuky APT in Targeted Malware Campaign – Active IOCs
May 20, 2024
Multiple Microsoft Windows Products Vulnerabilities
May 20, 2024
Severity
High
Analysis Summary
After being taken down by law enforcement in January, the threat actors responsible for the Grandoreiro banking malware, which targets Windows, have resurfaced and launched a global campaign since March 2024.
Over 1,500 banks worldwide are the target of massive phishing attempts, which are probably made possible by other threat actors using a malware-as-a-service (MaaS) model. These banks are spread over more than 60 nations in Central and South America, Africa, Europe, and the Indo-Pacific region. Major modifications to the domain generating algorithm (DGA) and string decryption were found in the malware analysis, along with the capability to leverage Microsoft Outlook clients on compromised sites to disseminate further phishing emails.
“The reworked malware and new targeting may indicate a change in strategy since the latest law enforcement action against Grandoreiro, likely prompting the operators to start expanding the deployment of Grandoreiro in global phishing campaigns, beginning with South Africa,” said the researchers.
The attack chain starts with phishing emails that, depending on how convincing they are and which government agency they are impersonating, direct recipients to click on a link to view an invoice or submit a payment. When users click the link, they are taken to a PDF icon image, which eventually prompts them to download a ZIP package containing the Grandoreiro loader program.
To evade anti-malware scanning tools, the modified loader is purposefully inflated to exceed 100 MB. Additionally, it is in charge of downloading and running the main banking trojan, obtaining basic victim info, sending it to a command-and-control (C2) server, and making sure the compromised host is not in a sandboxed environment. It is noteworthy to mention that the verification process is further carried out to skip Windows 7 computers based in the United States that do not have antivirus software installed, as well as systems geolocated in Russia, Czechia, Poland, and the Netherlands.
The trojan component uses a modified DGA to connect to a C2 server to obtain more instructions. It first establishes persistence through the Windows Registry. Grandoreiro has several commands that threat actors can use to take control of the system remotely, manipulate files, and activate special modes. One such module collects Microsoft Outlook information and utilizes the victim's email account to send spam to other targets.
Grandoreiro uses the Outlook Security Manager tool, a program used to create Outlook add-ins, to communicate with the local Outlook client. The Outlook Object Model Guard's ability to detect access to protected objects and provide security alerts is the primary cause of this. Grandoreiro can propagate via email through compromised victim inboxes by leveraging the local Outlook client, which probably adds to the high number of spam that has been seen coming from Grandoreiro.
Impact
- Financial Loss
- Sensitive Data Theft
- File Manipulation
Indicators of Compromise
MD5
- a6445cbe3235b32217f751e8e471994f
- 7466f951c79dd5d92add631e9f503a81
- af7b60fed4e328f28ea58608768b51f3
- 0a0b01ed0e0a756041c4696c0ffe4110
- 5d5a63bb52a4ddbd9d3e031704245397
- 8d2ab8795ce1172503535464c5d4fb7a
- f199aa84eb2b80e7a5a9f21e5a2307dc
SHA-256
- f8f2c7020b2d38c806b5911acb373578cbd69612cbe7f21f172550f4b5d02fdb
- 55426bb348977496189cc6a61b711a3aadde155772a650ef17fba1f653431965
- 84572c0de71bce332eb9fa03fd342433263ad0c4f95dd3acd86d1207fa7d23f0
- d005abe0a29b53c5995a10ce540cc2ffbe96e7f80bf43206d4db7921b6d6aa10
- 70f22917ec1fa3a764e21f16d68af80b697fb9d0eb4f9cd6537393b622906908
- fb3d843d35c66f76b1b1b88260ad20096e118ef44fd94137dbe394f53c1b8a46
- 6772d2425b5a169aca824de3ff2aac400fa64c3edd93faaabd17d9c721d996c1
SHA1
- 6f8fb8cc3f8b75927f3158ae19c12f12a7ac8c87
- 4ed6e543479f9dbdce8a087e4d445dfebeea103b
- 6b659741bf29921d1a4db838f8b81ce27be660b8
- 394627ae720e00ad1d926fabbed2ee43b38f522a
- 3294c12bfca2c398f4ece3160ead58ab9d52a2ca
- 03048f3b29f4a2eadd1612b50b40427017c4a548
- 3ff50510a1d0d9782d8b2032d21f5a8d79aa6ede
URL
- https://pjohconstruccionescpaz.com/?8205-23069071&tokenValue=92b768ccface4e96cee662517800b208f88ff796
- https://pjohconstruccionescpaz.com/?docs/xml/WCA161006TN9/15540f02-d006-4e3b-b2de-6873baff3b2a
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement multi-factor authentication (MFA) mechanisms such as biometric verification or one-time passwords (OTPs) to add an extra layer of security to banking transactions.
- Utilize advanced threat detection and monitoring tools to proactively identify and respond to suspicious activities or anomalies indicative of mobile banking.
- Adopt secure coding practices and conduct regular security assessments and code reviews to identify and remediate vulnerabilities in mobile banking applications.
- Educate users about the risks associated with mobile banking trojans including phishing scams, social engineering tactics, and suspicious app downloads.
- Establish partnerships with other financial institutions, cybersecurity firms, and law enforcement agencies to share threat intelligence and collaborate on the detection and mitigation of mobile banking trojan campaigns.
- Adhere to industry regulations and compliance standards governing data protection, privacy, and financial transactions.
- Deploy advanced security technologies such as endpoint detection and response (EDR) solutions, network intrusion detection systems (NIDS), and machine learning-based anomaly detection tools, to detect and prevent mobile banking trojan infections.
