Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.That's according to new findings fr...

Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively.

That's according to new findings from WatchGuard and ESET, which have observed the two malware families being used to single out companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil.

The Grandoreiro campaign "uses the DLL Side-Loading technique abusing four different software, targeting banks in Portugal," WatchGuard researcher Euler Neto said.

Active since 2016, Grandoreiro is an actively evolving banking malware that's capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories. It's typically distributed via phishing emails, instructing recipients to click on sketchy links.

Despite some arrests and attempts by Brazilian authorities to dismantle its infrastructure in early 2024, the malware has continued to expand its targeting footprint, while incorporating CAPTCHA checks to resist analysis.

The latest campaign flagged by WatchGuard has been found to leverage DLL side-loading to launch DLLs that are developed in Delphi 11, a programming language commonly used for malware targeting the region. Two of the DLLs - mingwm10.dll and libwebp.dll - have been found to incorporate sgcWebSockets, a WebSocket and real-time communication library, for peer-to-peer (P2P) and WebRTC communications.

"The DLLs associated with this case use the Session Traversal Utilities for NAT (STUN) protocol, which is a protocol that helps devices behind a NAT discover their public IP address and port number, enabling peer-to-peer communication," WatchGuard explained.

"The advantage for threat actors to use web conferencing traffic in their campaigns is due to this traffic being noisy, being difficult to monitor, and due to WebRTC being commonly used across all major web-conferencing platforms."

Two other DLLs associated with the campaign are libffi-6.dll and libpng15.dll, which make use of the Interactive Connectivity Establishment (ICE) protocol instead of STUN to achieve the same goal. These files specifically reference banks and financial institutions that operate in Portugal, such as Abanca, Banco de Portugal, BBVA PT, Caixa Geral Depositos, and Santander, among others. Also targeted are Revolut and Wise.

WatchGuard also said it identified another campaign in which phishing emails are used to deliver a ZIP archive hosted on Mediafire. The file contains an obfuscated Visual Basic Script that's responsible for launching an executable, which displays a message asking users to update Adobe Reader by clicking on a button embedded in the alert.

Read original source