New Phishing Campaigns Targeting Latin America and Europe: Forcepoint X-Labs Reveals Latest Threat

By /

Listen to this Post

Phishing attacks remain one of the most prevalent and dangerous cybersecurity threats across the globe. Recently, Forcepoint X-Labs researchers have uncovered new phishing campaigns targeting Latin America and Europe, focusing on specific countries such as Mexico, Argentina, Spain, and Brazil. The report highlights the ongoing presence of a Trojan known as Grandoreiro, which has been active since 2016. Initially, it targeted Brazil but has since expanded its reach to other countries, particularly Mexico, Portugal, and Spain since 2020. This article delves into the details of the threat, the tactics used by attackers, and the steps users and organizations can take to protect themselves.

the Threat: Grandoreiro Trojan and Its Capabilities

Forcepoint X-Labs recently identified large-scale phishing campaigns that utilize Grandoreiro, a modular backdoor Trojan that has been active for years. Initially targeting Brazil, the Trojan now affects various Latin American and European countries, including Mexico, Argentina, Spain, and Portugal.

Key Features of the Grandoreiro Trojan:

  • Modular Backdoor: The Trojan has a modular architecture, which allows attackers to adapt it for different purposes. It is primarily designed to steal sensitive data, including credentials, system information, and cryptocurrency-related data.
  • Obfuscation and Evasion: One of the major tactics used by the attackers is obfuscation. They employ Virtual Private Servers (VPS) hosting and techniques to disguise malicious code to evade detection by security systems.
  • Malicious Phishing Campaigns: The phishing campaigns use fake tax agency emails to trick users into downloading malicious attachments. These attachments often contain Visual Basic scripts (VBS) or disguised executable files (EXE).

Forcepoint’s report details a specific campaign targeting users in Mexico, Argentina, and Spain, in which attackers impersonate tax authorities. This scam involves sending phishing emails that include malicious links. These links redirect users to VPS or dedicated servers hosted on Contabo, a cloud hosting provider, where attackers host their malicious content.

The email contains a button labeled “Download PDF,” which, when clicked, directs the user to a zip file hosted on MediaFire. Upon downloading the zip file, the user unwittingly executes an obfuscated VBS script that decodes a base64 stream and drops an EXE file in the system directory. This EXE, masquerading as a PDF file, is designed to exploit vulnerabilities in Adobe Acrobat Reader to trigger an error, after which it attempts to connect to a Command and Control (C2) server.

Exploitation and Data Theft:

The Trojan is specifically designed to extract sensitive data from the infected system, including personal information, system configurations, and Bitcoin wallet files. The malware communicates with the C2 server using custom URIs and unusual ports, making it harder for traditional security systems to detect and block the attack.

What Undercode Says:

In analyzing the Grandoreiro Trojan campaign, it is clear that the attackers have adapted their strategies over time to evade security measures. The use of obfuscation and VPS hosting, particularly with providers like Contabo, is a sophisticated tactic to bypass detection. By frequently changing subdomains and using password-protected files, they add an additional layer of complexity to their efforts.

These campaigns reflect a broader trend of evolving phishing tactics. Cybercriminals are becoming increasingly adept at targeting specific regions with localized content, such as emails impersonating local tax authorities. This personalization makes the attacks more convincing and difficult for average users to recognize as malicious.

Furthermore, the fact that the malware targets cryptocurrency wallet files highlights the growing interest in stealing digital assets. This is particularly alarming as the number of individuals investing in cryptocurrencies continues to rise, making them prime targets for attackers.

Organizations should take note of the fact that traditional security systems may not be enough to protect against these sophisticated campaigns. Multi-layered defenses, including advanced threat detection, network monitoring, and employee training on identifying phishing attempts, are crucial in mitigating the risk posed by threats like Grandoreiro.

From a cybersecurity perspective, the continued success of these campaigns demonstrates the effectiveness of phishing as a tool for cybercriminals. As more individuals and businesses rely on digital communication and online transactions, the need for robust security measures has never been more critical. Users must be vigilant when interacting with unsolicited emails and attachments, especially those containing links or files from unfamiliar sources.

Fact Checker Results:

  • VPS Hosting: Attackers are using VPS hosting services like Contabo to host malicious content, which adds complexity to detection and blocking.
  • Evasion Tactics: The phishing emails include obfuscated VBS scripts and password-protected files, making it harder for traditional security tools to detect the threat.
  • Cryptocurrency Targeting: The malware specifically targets Bitcoin wallet files, reflecting the increasing trend of cybercriminals focusing on digital currencies.

References:

Reported By: https://securityaffairs.com/175964/malware/crooks-are-reviving-the-grandoreiro-banking-trojan.html
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: