Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

Jun 15, 2024Newsroom

Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S.

\”The group’s latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS,\” Resecurity said in a report published earlier this week. \”The goal is to steal their personal and financial information.\”

The threat actors, believed to be Chinese-speaking, are known to leverage stolen databases sold on the dark web to send bogus SMS messages, enticing recipients into clicking on links under the pretext of informing them of a failed package delivery and urging them to update their address.

Users who end up clicking on the URLs are directed to fake websites that prompt them to enter their financial information as part of a supposed service fee charged for redelivery.

\”Besides Pakistan Post, the group was also involved in detecting multiple fake delivery package scams,\” Resecurity said. \”These scams primarily targeted individuals who were expecting legitimate packages from reputable courier services such as TCS, Leopard, and FedEx.\”

The development comes as Google revealed details of a threat actor it calls PINEAPPLE that employs tax and finance-themed lures in spam messages to entice Brazilian users into opening malicious links or files that ultimately lead to the deployment of the Astaroth (aka Guildma) information-stealing malware.

\”PINEAPPLE often abuses legitimate cloud services in their attempts to distribute malware to users in Brazil,\” Google’s Mandiant and Threat Analysis Group (TAG) said. \”The group has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure and others.\”

It’s worth noting that the abuse of Google Cloud Run to disseminate Astaroth was flagged by Cisco Talos earlier this February, describing it as a high-volume malware distribution campaign targeting users across Latin America (LATAM) and Europe.

The internet goliath said it also observed a Brazil-based threat cluster it tracks as UNC5176 targeting financial services, healthcare, retail, and hospitality sectors with a backdoor codenamed URSA that can siphon login credentials for various banks, cryptocurrency websites, and email clients.

The attacks leverage emails and malvertising campaigns as distribution vectors for a ZIP file containing an HTML Application (HTA) file that, when opened, drops a Visual Basic Script (VBS) responsible for contacting a remote server and fetching a second-stage VBS file.

The downloaded VBS file subsequently proceeds to carry out a series of anti-sandbox and anti-VM checks, after which it initiates communications with a command-and-control (C2) server to retrieve and execute the URSA payload.

A third Latin America-based financially motivated actor spotlighted by Google is FLUXROOT, which is linked to the distribution of the Grandoreiro banking trojan. The company said it took down phishing pages hosted by the adversary in 2023 on Google Cloud that impersonated Mercado Pago with the goal of stealing users’ credentials.

\”More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware,\” it said.

The disclosure follows the emergence of a new threat actor dubbed Red Akodon that has been spotted propagating various remote access trojans like AsyncRAT, Quasar RAT, Remcos RAT, and XWorm through phishing messages that are designed to harvest bank account details, email accounts, and other credentials.

Targets of the campaign, which has been ongoing since April 2024, include government, health, and education organizations as well as financial, manufacturing, food, services, and transportation industries in Colombia.

\”Red Akodon’s initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá,\” Mexican cybersecurity firm Scitum said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a Comment