Despite the police efforts and the collaboration of cybersecurity companies, the Grandoreiro bank trly continues to be a significant threat to the users of several countries, including Spain. This malware, known for its ability to steal bank credentials, has returned to the load with new phishing campaigns that supplant companies and public organizations.

A recent case illustrates how criminals use emails that simulate being invoices of the Endesa energy distributor. This tactic is not new, since Grandoreiro and other bank Trojans have supplanted this company on multiple occasions. The popularity of Endesa and its relevance in the Spanish energy market make many users fall into the trap, believing that they are facing authentic communication.

To avoid being victims of these attacks, it is crucial to review the email sender. In many cases, although emails seem to come from a reliable source, the mastery domain can reveal suspicious clues. For example, a recent Grandoreiro email had a domain of Zimbabue, which should alert users about their authenticity.

Threat Analysis: Grandoreiro

When analyzing the recent Grandoreiro samples, it is observed that criminals continue to use ZIP compressed files containing MSI installers. Although the size of these files is considerably large, it does not reach the hundreds of megabytes from previous campaigns. When executing the malicious file in a trial environment, the use of lures is detected as progress bars to distract the user while the Trojan performs its function.

Grandoreiro’s bank trout returns in a campaign supplanting Endesa

The infection chain follows a known pattern: the MSI file downloads and executes an executable that contains the Bank Trojan code. Once installed, the Trojan seeks to obtain persistence in the system and steal bank credentials and other sensitive information that can be used in future campaigns or sold in the black market.

Protection measures

Grandoreiro’s persistence underlines the importance of staying alert and adopting adequate security measures. For Josep Albors, director of Research and Awareness of ESET Spain, users must be attentive to suspicious emails and always verify the authenticity of the sender and the links included. In addition, it is essential to have robust safety solutions that can detect and block these threats before they reach the entrance tray.

The same strategies that have been used to combat previous versions of Grandoreiro remain effective against the new ones. This includes user education about phishing tactics and the implementation of advanced security tools that can identify and neutralize malware.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.