It seems that the cyber criminals behind the banking trojan
Grandoreiro is back, but this time it evolved and target crypto currency as well. What's dangerous is that it focus on Latin-American countries and now also on their list is Africa, Europe, and the Indo-Pacific.
And in this campaign, the cyber criminals sent a email with a link to view an invoice or fee, account statement, make a payment, etc. depending on the impersonated entity.
Sample1 email that the targeted victim received.
Or another email like this,
So initially, if will check if the machine is not on the sandbox and collects the following information:
- Computer name
- Username
- OS version information
- Installed Antivirus solution
- Country of the victim’s public IP (via http://ip-api.com/json)
- List of running processes
And what a clever trick, they are going to bloat their payload by more than 100 MB so that AV will skipped it.
After that, when it is fetches everything from the C2 server, their command and control, it will go and profile their victims including crypto related wallets and exchanges and accounts.
https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/-So again the rule of thumb, do not click any links in your email, specially attachments and you don't know the source.
-Update your AV and OS
-And again, we should always protect our account/password/crypto wallets. There nothing more than educating ourselves from this kind of attacks as obviously we are the heavy target