Cybersecurity researchers recently publicized early this February, a new application for anti phishing solutions scam that is now targeting people in Spain. It is somewhat similar to the TrickBot and IcedID trojan/malware program that usually attacks large banks in different countries. The said malicious activity in Spain is being linked to a new overlay malware they called – Grandoreiro.
The strike was initially observed in LATAM countries, especially in Brazil. But now, similar cases are being cited in Spain. As evidence, the source code that was used has an 80-90 percent similarity. With this, researchers have concluded that either the attacker is now doing a wide range of hacking or getting alliance on their targeted country since they speak the same language – Spanish/Portuguese.
The malware reported was spread through a coronavirus-themed video. For the victim to watch the video, he/she is persuaded to click on a URL that will induce download of a (dot)MSI file plugin for Chrome Browser. Once the plugin is installed, it will now send a notification to the attacker that connection has been established. Thus, they will just wait in the shadows for the victim to access his/her online banking.
Grandoreiro works as a remote overlay malware trojan application. It is being triggered once the infected device tries to do online access banking. Once the victim enters his/her login credentials, the fraudster will show pages that are most likely similar to the bank’s interface for them to have time to perform their malicious activities under the radar.
In contrast, the victim still thinks that the pages he/she is viewing is still part of some in-browser advertisement from the bank. While at the back end, the fraudster is now seeing the main login page of the victim’s online banking, and it is ready to do his fraudulent act since he now has remote access to the device for which Grandoreiro is specifically made.
With this action, the victim’s Bank’s Frauds Prevention and Detection program will not raise any suspicions on the current transaction of the victim.
Another reported feature of this application is its ability to steal copies of cookies and cache from the infected devices and then can continue to work on the other devices of the victim.
With this and the usual advisory by the Cybersecurity researchers, our first line of protection is for us not to open any suspicious link or download/install any application that is not found on the legit website of a registered business.