Banking (and crypto wallets) trojan Grandoreiro targets Spanish speaking nations

[Dave1]

This is not a new banking trojan, it has been seen in the wild since 2016 and specifically target Latin-American countries. It's mode of attack is to impersonate officials from the Attorney General’s Office of Mexico City and from the Public Ministry for it's spear campaign. The email contains a embedded link which when you click, will be redirected to a site in which you will download a zip files that contains the trojan.

And it target different industries as well.

• Chemicals Manufacturing
• Automotive
• Civil and Industrial Construction
• Machinery
• Logistics - Fleet management services

It also has the capability to check the following installed programs. And once it found it is installed, it is going to steal all the info of that wallet.

• Binance
• Electrum
• Coinomi
• Bitcoin Core
• Ledger Live

https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals

I know that there are a lot of Spanish speaking members of this community so I just want you guys to be aware.

[1714472142]

1714472142

[1714472142]

1714472142

[1714472142]

1714472142

[1714472142]

1714472142

[1714472142]

1714472142

[1714472142]

1714472142

[passwordnow]

Thanks for the awareness. Someone who randomly clicks a link attached to their emails is really attracting these viruses and other malware that we should avoid by just being aware that they exist and, how we contain them through malicious links.
Just never click and entertain any unsolicited and unwelcomed email, those random emails that are being sent to us. Some email providers have them put on spam and make those links unclickable but not all providers do that.

[Hispo]

Thanks for the headsup.
However something have gotten me curious about this information you are sharing.

• Binance
• Electrum
• Coinomi
• Bitcoin Core
• Ledger Live

Assuming this program actually targeted and found wallets like Ledger Live and Electrum, those wallets work together with Hardware wallets (it is optional on Electrum), so would not that mean the worst case scenario would be the theft of the xpubs rather than the seed/ private keys?

[NotATether]

Thanks for the headsup.
However something have gotten me curious about this information you are sharing.

• Binance
• Electrum
• Coinomi
• Bitcoin Core
• Ledger Live

Assuming this program actually targeted and found wallets like Ledger Live and Electrum, those wallets work together with Hardware wallets (it is optional on Electrum), so would not that mean the worst case scenario would be the theft of the xpubs rather than the seed/ private keys?

The worst case only happens if you didn't bother to protect your wallet with a password (!) - if you're not trying to give your money away to bandits, then the worst case that the virus steals a perfectly encrypted wallet, with a password that has 20+ characters in it and thus will take eons to crack.

Still, if you detect a virus, it's best to assume your wallet file was stolen, and sweep all your coins to a new wallet.

[Upgrade00]

Still, if you detect a virus, it's best to assume your wallet file was stolen, and sweep all your coins to a new wallet.

+1.
When any sort of vulnerability is noticed, it is safe to assume that l security protocols have been breached, and any assets or personal information held on the device compromised.

There has been so much publicity on scams, phishing and malware links, that it is surprising, at least to me, how people still fall for random, unsolicited emails, with embedded links. Worse still that people still expose personal information like emails, etc on various, unverified platforms.

[DdmrDdmr]

<…>

The article included in the OP points to the malware compiling information on those wallets (as well as antimalware, banking and mail clients), sending it to the attacker’s remote server for their analysis. The info that is gathered seems to be something like this:

That may not give them access there and there to anything, but Grandoreiro has de capacity to perform:

•   Keylogging
•   Auto-Updation for newer versions and modules
•   Web-Injects and restricting access to specific websites
•   Command execution
•   Manipulating windows
•   Guiding the victim's browser to a certain URL
•   C2 Domain Generation via DGA (Domain Generation Algorithm)
•   Imitating mouse and keyboard movements

Although not mentioned explicitly, it’s possible that there is a chance to perform clipboard jacking under the guise of some of the above features, which could come in handy to the hackers even if you’re handling a hardware wallet (or whatnot), simply by changing addresses that are copy/pasted with the intent to be included in TXs.

[Lucius]

Although not mentioned explicitly, it’s possible that there is a chance to perform clipboard jacking under the guise of some of the above features, which could come in handy to the hackers even if you’re handling a hardware wallet (or whatnot), simply by changing addresses that are copy/pasted with the intent to be included in TXs.

That would be the most likely option when it comes to Ledger Live or for some other HW+Electrum combination. However, this trojan may also have some more sophisticated ways to attack HW owners, perhaps redirecting them to various web locations where it tries to steal their seed or through some other data it gets if it succeeds in infecting the victim's computer.

Given that it's been around since at least 2016, I assume any good AV must block it - although few people pay attention to online security these days. Of course, everything starts from the fact that you should not trust links that come from suspicious sources, no matter how credible it may seem to someone at first glance.