A phishing campaign targeting Latin American users has caught the attention of X-Force, an organization specializing in cybersecurity, since March 2024. The campaign involves emails sent to users in specific countries, impersonating legitimate entities such as tax and utility services. These emails urge recipients to click on links for invoices or account statements, creating a sense of urgency and exploiting trust in official institutions to trick users into compromising their systems.
The emails contain a link that redirects users to a fake PDF icon while downloading a ZIP archive containing an executable disguised as a PDF. This malicious ZIP archive is the first stage of a multi-component banking trojan known as Grandoreiro. The phishing campaign has now expanded to target users outside of Latin America, impersonating tax authorities like the South African Revenue Service (SARS) and using tactics similar to past Grandoreiro campaigns in the region.
The emails are written in English or Spanish and reference a tax number and a downloadable invoice. Clicking on the provided PDF or XML link triggers a ZIP archive download containing the Grandoreiro loader disguised as a tax document. This loader utilizes a custom three-step decryption process to protect its functionality, extracting a key string and converting encrypted strings using custom encoding schemes.
The Grandoreiro loader then establishes communication with a command-and-control (C2) server to verify the victim’s environment, collect data about the victim’s system, and avoid specific countries and Windows 7 machines in the US without antivirus protection. It sends encrypted victim profiles to the C2 server, decrypts the server address, retrieves the final payload, establishes persistence, and targets over 1500 banks worldwide with region-specific attacks.
The banking trojan searches for targeted banking applications and cryptocurrency wallets, and if the configuration file is missing, creates a new one with default values. It uses a Domain Generation Algorithm (DGA) to calculate C2 server addresses and performs various malicious actions such as remote control, file transfer, web browsing, and stealing banking information.
Furthermore, Grandoreiro employs a layered decryption process for its numerous strings, extracting and decoding keys using custom methods and encrypting data with AES-ECB. This complex encryption scheme makes it difficult to detect and mitigate the threats posed by Grandoreiro.
Security experts advise users to be cautious when receiving emails from unknown sources, especially those containing links or attachments urging immediate action. By staying vigilant and avoiding clicking on suspicious links, users can protect themselves from falling victim to phishing campaigns and malware attacks.
In conclusion, the phishing campaign targeting Latin American users has evolved to target users outside the region with sophisticated tactics, posing a significant threat to cybersecurity. Organizations like X-Force play a crucial role in identifying and mitigating such threats to protect users and their systems from malicious attacks.