Researchers have identified a new variant of the Grandoreiro malware, attributed to the threat actor TA2725, previously known for targeting victims in Brazil and Mexico, expanded its reach to target banks in Spain as well.
The researchers noted an unusual increase in the frequency and volume of malicious activity targeting Spain, a departure from the malware’s traditional focus on Portuguese and Spanish speakers in the Americas. Brazil is among the most highly targeted countries for information stealers and other malware. Its widespread use of online banking provides opportunities for threat actors to exploit unsuspecting victims.
The Grandoreiro malware family, commonly written in Delphi, has been active for years, with various strains like Javali, Casabeniero, Mekotio and the malware is capable of data theft through keyloggers and screen-grabbers and can steal bank login information from overlays on banking websites. Typically delivered via email lures, it executes a malicious file that contacts a C2 server.
Grandoreiro had primarily targeted banks in Brazil and Mexico. However, recent campaigns revealed that the malware’s bank credential-stealing overlays have expanded to include banks in Spain. This means that TA2725 can now simultaneously target victims in both Spain and Mexico without modifying the malware.
TA2725, known for using Brazilian banking malware and phishing, has been observed targeting credentials for banks in Brazil and Mexico, along with consumer credentials and payment information for Netflix and Amazon accounts.
Due to the rapid malware development and tenacity of threat actors in Latin America and South America, an increase in targets of opportunity outside that region who share a common language, is expected to be a evolving threat to the organizations worldwide.