A new variant of the Grandoreiro malware, traditionally focused on Brazil and Mexico, has expanded its reach to target victims in Spain and Mexico. Researchers from Proofpoint have identified an upsurge in malicious activity targeting Spanish-speaking users in Spain, deviating from its previous focus on Portuguese and Spanish speakers in the Americas.
The evolving Brazilian cyber threat landscape, coupled with the increased number of people online in the country, has made Brazil one of the most highly-targeted countries for information theft and malware, with a specific emphasis on online banking users.
The threat posed by Brazilian banking malware is multifaceted, with most strains appearing to have a common Delphi-written ancestor, whose source code has been adapted and reused over several years. This lineage has spawned various Brazilian malware varieties, including Grandoreiro, known for its active development and ability to steal data through keyloggers and screen-capturers.
Recent campaigns have demonstrated the malware’s ability to target Spanish banks, suggesting that its capabilities have expanded beyond the Americas. The attack involves a multi-stage process, starting with malicious email lures containing various baits, such as shared documents or tax forms, and culminates in the delivery of a Grandoreiro payload with the ability to steal bank login information.
The threat actor, TA2725, previously known for using Brazilian banking malware and phishing to target organizations in Brazil and Mexico, has taken on an expanded role, targeting consumer credentials and payment information for Netflix and Amazon accounts.
The Brazilian banking malware’s relentless development and the adaptability of threat actors across Latin and South America are likely to result in an increase in targets beyond their traditional regions. The global supply chain’s reliance on suppliers worldwide also increases the risk to organizations that may fall outside their usual service region.