430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Grandoreiro campaign impersonates Spanish Agencia Tributaria

Operators of Grandoreiro Latin American banking trojan have launched a new campaign using emails posing as the Agencia Tributaria in order to infect new victims. Operators behind the Grandoreiro banking trojan, which is popular in Latin America, have been using emails posing as the Agencia Tributaria to trick victims into installing the malware. The campaign began […]

grandoreiro banking Trojan

Operators of Grandoreiro Latin American banking trojan have launched a new campaign using emails posing as the Agencia Tributaria in order to infect new victims.

Operators behind the Grandoreiro banking trojan, which is popular in Latin America, have been using emails posing as the Agencia Tributaria to trick victims into installing the malware.

The campaign began on August 11th, 2020, when many many Spanish people receiving messages claiming to be from the Agencia Tributaria. The emails attempted to trick users into believing they were a communication from the tax agency, the messages used sender info like “Servicio de Administración Tributaria” and come from the email address contato@acessofinanceiro[.]com.

The message includes a link that points to a ZIP archive that claims to contain a digital tax receipt and inform the users that they have to fill a document to be submitted to the Agencia Tributaria along with a fee to pay.

“Although the message offers no guarantee of being an official communication, it is likely that some recipients have been tricked into downloading the linked ZIP file via the provided link.” reads the analysis published by ESET.

“The link redirects to a domain that was registered on the same day, August 11. However, looking at the information provided by whois – a service that provides identifying information about domain name registrants – the registrant’s country is listed as Brazil, which could perhaps indicate the whereabouts of the operators of this campaign.”

The researchers noticed other Latin American banking trojan campaigns in the same period, some of the malware distributed was Mekotio.

The malicious file has been hosted by threat actors either on a compromised domain or in a cloud storage service like Dropbox. In the case of the cloud storage, the link points to a Dropbox folder containing the ZIP file.

“This ZIP payload contains an MSI file and a GIF image. Homing in on the properties of the MSI file reveals that it was compiled the day before, August 10. It should also be noted that the ZIP filename has the country code “ES” at the end. ESET researchers also detected other files in Dropbox with very similar sizes and dates of compilation, but with different country codes – possibly indicating that this campaign is targeting victims in various countries at the same time.” continues ESET.

The MSI file is as a variant of Win32/TrojanDownloader.Delf.CYA, which is a downloader employed in other campaigns spreading Latin American banking trojans, including GrandoreiroCasbaneiroMekotio and Mispadu.

“Impersonating Spain’s Agencia Tributaria or other similar agencies is an old trick in the attackers’ book that has been used for a long time, especially during tax season. However, even when high season for income taxes has already concluded, this year has seen this technique being used by Latin American banking trojans and other threats specialized at stealing data.” concludes ESET.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link)

[adrotate banner=”5″]

[adrotate banner=”13″]