The banking Trojan Grandoreiro has been taking advantage of the COVID-19 crisis to attack users, an analysis by ESET has shown. The internet security company has found the Trojan hiding in videos on fake websites that promise to provide vital information about the virus. Attempting to play the video leads to the download of a payload on the visitors’ device.
Grandoreiro has been seen operating since 2016, and targets users in Brazil, Mexico, Spain and Peru. It has previously almost exclusively been distributed through email spam, in which the authors utilize a fake Java or Flash update. Through these fake pop-up windows, users are encouraged to give away sensitive information.
Now, Grandoreiro authors are shifting their tactics to target users through COVID-19 scams on fake websites. This coincides with a general shift towards cyber-attacks related to the virus that play on people’s fears as the crisis has developed in recent weeks.
Once a machine is affected, Grandoreiro is able to collect information about it using a variety of techniques. These include manipulating windows, updating itself, capturing keystrokes, simulating mouse and keyboard actions, navigating browsers to chosen URLs, signing out and restarting machines, and blocking access to websites. In some versions, it is also able to steal credentials stored in Google Chrome and data stored in Microsoft Outlook browsers.
