Grandoreiro Banking Malware Targets Spain using Fake Chrome Plugin

Researchers are warning users of remote overlay malware attacks that use a fake Chrome browser plugin to target Spanish banking customers. Grandoreiro is the name of the malware in question, designed as a banking Trojan. It helps attackers take over devices and display an overlay message when users access their banking accounts.

While the overlay fools the users, the attackers perform a fraudulent money transfer. Grandoreiro is known for attacking banking customers in Brazil, with the latest attack expanding their operations to other countries. The campaign was discovered during February 2020, using coronavirus-themed videos as part of its malspam to fool users.

The inner workings of Grandoreiro

When users click on a URL, it takes them to an infected website, according to IBM's X-Force. Once the users visit the website, they are prompted to download an .MSI file from the Github repository. The file is the malware loader, with Grandoreiro being downloaded through a hardcoded URL in the loader.

Once the download is complete, Grandoreiro connects to a command-and-control (C2) server. That allows the attackers to send notifications about the infected machine, as well as remote access whenever the victims access a banking website. One of the ways Grandoreiro spreads is by downloading a malicious extension for Google Chrome. This extension claims to be a Google Plugin 1.5.0. The extension asks for permissions, such as displaying notifications, modifying data, and reading browsing history.

Researchers believe the malware uses the extension to steal cookies from infected machines. These cookies may then be used on another device during an active session, no longer needing active control over a victim's machine.

Once working on an infected device, Grandoreiro lurks in the background, waiting for victims to take actions it can use, such as browsing a banking website. When it happens, the attackers use remote access through the malware, and launch malicious images of the banking interface, fooling the users into believing the session is live. Whatever information the users type in can be stolen by the attackers, meanwhile running a transfer that drains the victim account.

Cybercriminals are expanding the campaign

Researchers noticed that the samples of malware targeting victims in Spain had code similar to the Brazilian samples, nearly 90% identical. Thат led to the conclusion that the original attackers are spreading to a new region, or they are collaborating with Spanish criminals. Remote overlay Trojans are easy to find on dark web markets if one knows where to look.

Researchers mentioned that the larger Trojans such as TrickBot and IcedID were found used against banks in various countries, but the similarities in language between Brazil and Portugal or Spanish-speaking countries allowed the Grandoreiro malware to spread more freely.