The banking Trojan Grandoreiro has been taking advantage of the COVID-19 crisis to attack users, an analysis by ESET has shown. The internet security company has found the Trojan hiding in videos on fake websites that promise to provide vital information about the virus. Attempting to play the video leads to the download of a payload on the visitors’ device.
Grandoreiro has been seen operating since 2016, and targets users in Brazil, Mexico, Spain and Peru. It has previously almost exclusively been distributed through email spam, in which the authors utilize a fake Java or Flash update. Through these fake pop-up windows, users are encouraged to give away sensitive information.
Now, Grandoreiro authors are shifting their tactics to target users through COVID-19 scams on fake websites. This coincides with a general shift towards cyber-attacks related to the virus that play on people’s fears as the crisis has developed in recent weeks.
Once a machine is affected, Grandoreiro is able to collect information about it using a variety of techniques. These include manipulating windows, updating itself, capturing keystrokes, simulating mouse and keyboard actions, navigating browsers to chosen URLs, signing out and restarting machines, and blocking access to websites. In some versions, it is also able to steal credentials stored in Google Chrome and data stored in Microsoft Outlook browsers.
The Trojan has also proven to be very difficult for cybersecurity experts to detect and remove.
“For a Latin American banking Trojan, Grandoreiro utilizes a surprisingly large number of tricks to evade detection and emulation. That includes many techniques to detect or even disable banking protection software,” explained ESET researcher Robert Šuman.
“They [the attackers] seem to be developing the banking Trojan very rapidly. Almost every new version we see introduces some changes. We also suspect they are developing at least two variants simultaneously. Interestingly, from a technical point of view, they also utilize a very specific application of the binary padding technique that makes it hard to get rid of the padding while keeping a valid file.”