top of page

Grandoreiro Banking Trojan with New TTPs

Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico and Spain that work across a variety of different industry verticals such as Automotive, Chemicals Manufacturing and others. In this campaign, the threat actors impersonate government officials from the Attorney General’s Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute “Grandoreiro” a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America. Grandoreiro is written in Delphi and utilizes techniques like binary padding to inflate binaries, Captcha implementation for sandbox evasion, and command-and-control (CnC) communication using patterns that are identical to LatentBot.



ATT&CK IDS: T1036 - Masquerading, T1547 - Boot or Logon Autostart Execution, T1566 - Phishing, T1140 - Deobfuscate/Decode Files or Information, T1113 - Screen Capture, T1562 - Impair Defenses, T1553 - Subvert Trust Controls, T1105 - Ingress Tool Transfer, T1102 - Web Service

Read More:

1 view
bottom of page