- Nov 3, 2019
- 413
The Grandoreiro banking malware uses remote overlay and a fake Chrome browser plugin to steal from banking customers.
Researchers are warning of a remote overlay malware attack that leverages a fake Chrome browser plugin to target the accounts of banking customers in Spain.
Grandoreiro is a type of remote overlay banking trojan, designed to help attackers overtake devices and display a full-screen overlay image when victim accesses their online banking account. In the background, meanwhile, the attacker initiates a fraudulent money transfer from the compromised account. The Grandoreiro malware, at the heart of this attack, is commonly known for exclusively targeting banking customers in Brazil – so this latest attack shows its operators expanding to victims in new countries.
The campaign, uncovered as early as February 2020, uses coronavirus-themed videos (sent via malspam messages) to trick users to click on a URL that takes them to a boobytrapped website, said Dani Abramov and Limor Kessem, researchers with IBM X
On that boobytrapped website, victims are then persuaded to download an .MSI file from a Github repository, which is actually the malware loader. The Grandoreiro payload is then fetched via a hardcoded URL within the loader’s code.
After download, Grandoreiro establishes a connection with its command-and-control (C2) server, which researchers say allows the malware to send notifications about machine information and facilitate remote access capabilities to the attacker when a victim accesses a banking site.
Researchers are warning of a remote overlay malware attack that leverages a fake Chrome browser plugin to target the accounts of banking customers in Spain.
Grandoreiro is a type of remote overlay banking trojan, designed to help attackers overtake devices and display a full-screen overlay image when victim accesses their online banking account. In the background, meanwhile, the attacker initiates a fraudulent money transfer from the compromised account. The Grandoreiro malware, at the heart of this attack, is commonly known for exclusively targeting banking customers in Brazil – so this latest attack shows its operators expanding to victims in new countries.
The campaign, uncovered as early as February 2020, uses coronavirus-themed videos (sent via malspam messages) to trick users to click on a URL that takes them to a boobytrapped website, said Dani Abramov and Limor Kessem, researchers with IBM X
On that boobytrapped website, victims are then persuaded to download an .MSI file from a Github repository, which is actually the malware loader. The Grandoreiro payload is then fetched via a hardcoded URL within the loader’s code.
After download, Grandoreiro establishes a connection with its command-and-control (C2) server, which researchers say allows the malware to send notifications about machine information and facilitate remote access capabilities to the attacker when a victim accesses a banking site.
