Cybercriminals are reviving the Grandoreiro banking trojan, targeting users in Latin America and Europe through large-scale phishing campaigns. The malware is distributed via emails impersonating tax agencies, leading victims to download malicious payloads from Contabo-hosted servers and Mediafire. The attack chain involves obfuscated VBS scripts and a Delphi-based EXE that steals credentials and connects to a C2 server. The campaign employs dynamic URLs, social engineering, and various obfuscation techniques to evade detection. Users in Mexico, Argentina, and Spain are primary targets, with the malware searching for Bitcoin wallet directories and system information. Frequent changes to subdomains under contaboserver[.]net are used to avoid detection. Author: AlienVault
Related Tags:
mediafire
grandoreiro
Grandoreiro – S0531
T1059.005
Argentina
Mexico
Spain
T1012
T1071
Associated Indicators:
9D767A9830894B210C980F3ECF8494A1B1D3C813
7A32D66832C6C673E9C0A5E0EE80C4310546093B
A9919444948790ABE18F111EEEF91BEA2C1D4DD0
7ED66D3FE441216D7DD85DDA1A780C4404D8D8AF
0372A8BB0B04927E866C50BEF993CDA8E2B8521D