07 December 2023

Grandoreiro banking malware targets Mexico and Spain

Grandoreiro is a modular backdoor that supports the following capabilities:

Keylogging
Auto-Updation for newer versions and modules
Web-Injects and restricting access to specific websites
Command execution
Manipulating windows
Guiding the victim’s browser to a certain URL
C2 Domain Generation via DGA (Domain Generation Algorithm)
Imitating mouse and keyboard movements

The campaign began in June 2022 and is still ongoing, the attacks hit organizations in multiple industries, such as Automotive, Chemicals Manufacturing, and others. The threat actors behind this campaign impersonate Mexican Government Officials, the malware uses multiple anti-analysis techniques along with implementation of Captcha for evading Sandboxes.