Cybersecurity experts at Proofpoint have recently discovered a new variant of the Grandoreiro malware, previously known for its targeting of victims in Brazil and Mexico. This latest version, linked to the threat actor TA2725, has now expanded its reach to include banks in Spain.
In a recent advisory, researchers at Proofpoint noted a significant increase in malicious activity targeting Spain, a deviation from the malware’s usual focus on Portuguese and Spanish speakers in the Americas. Brazil, in particular, is a highly targeted country for information stealers and malware due to its widespread use of online banking, presenting ample opportunities for threat actors to exploit unsuspecting victims.
Jared Peck, a researcher at Proofpoint, highlighted the evolving cyber threat landscape in Brazil, stating that the increasing online presence in the country has expanded the potential victim base. The Grandoreiro malware family, often coded in Delphi, has been active for several years, with various strains like Javali, Casabeniero, Mekotio, and Grandoreiro itself. This malware is capable of stealing data through keyloggers and screen-grabbers, particularly targeting bank login information through overlays on banking websites.
While Grandoreiro previously focused on banks in Brazil and Mexico, recent campaigns have shown that the malware’s bank credential-stealing overlays now include Spanish banks as well. This allows TA2725 to target victims in both Spain and Mexico simultaneously without the need to modify the malware.
TA2725, known for utilizing Brazilian banking malware and phishing techniques, has been observed targeting credentials for banks in Brazil and Mexico, as well as consumer credentials and payment information for popular platforms like Netflix and Amazon accounts. Peck emphasized the evolving nature of malware development and the persistence of threat actors in Latin America and South America, indicating a potential increase in targets outside of the region who share a common language.
“As the global supply chain continues to rely on suppliers worldwide, the targeting of organizations beyond their usual service region poses an increasing threat to all organizations globally,” Peck stated in the advisory. This highlights the importance of robust cybersecurity measures and vigilance in safeguarding against evolving cyber threats.