Tuesday, May 6, 2025
HomeCyber Security NewsGrandoreiro Banking Trojan Targeting Automotive, Chemicals Manufacturing Industries

Grandoreiro Banking Trojan Targeting Automotive, Chemicals Manufacturing Industries

Published on

SIEM as a Service

Follow Us on Google News

The Grandoreiro is a banking trojan that has been identified recently by the security analysts at Zscalerin in recent attacks, and threat actors are using it as a vector for cyberattacks. 

Workers at the chemical manufacturing company in Spain and those working at the Mexican automotive and machinery manufacturing company are the targets of Grandoreiro.

Since at least 2017, this malware has been active in the wild and has been spreading. For Spanish-speaking users, it continues to be one of the most serious threats of its type.

- Advertisement - Google News

Target Organizations

In June 2022, the new campaign began and is still in the process of being carried out. A new Grandoreiro malware variant has been deployed as part of this effort. 

A number of new features have been added to this new variant as well as a revamped command and control mechanism to make it more difficult to detect and analyze.

It is mainly Spanish-speaking countries, such as Mexico and Spain, where the threat actors are trying to exploit organizations that are located there.

This campaign aims to target the following industries:-

  • Chemicals Manufacturing
  • Automotive
  • Civil and Industrial Construction
  • Machinery
  • Logistics – Fleet management services

Capabilities of Grandoreiro

Malware on a host has several backdoor capabilities, which include the following:-

  • Keylogging
  • The ability to automatically update older versions and modules with newer versions
  • Using Web-Injects and restricting certain websites from being accessed
  • Execution of commands
  • Manipulating Windows
  • A specific URL is provided to the victim’s browser
  • Generating domains in C2 through the use of DGA 
  • Mimicking the movements of a mouse and keyboard

Infection

An email that purports to be from one of the following addresses is the first step in the infection chain:-

  • Attorney General’s Office of Mexico City 
  • The Spanish Public Ministry

Depending on what target you are trying to reach, all of this will vary. There are a number of topics that are discussed in the message:-

  • State refunds
  • Notices of litigation changes
  • Cancellation of mortgage loans

In these emails, victims are redirected to a website where they can download a ZIP archive that contains malicious code. By hiding the file in a PDF document, the attacker is able to trick the victim into launching the Grandoreiro loader module.

Now from a remote HTTP file server, the Delphi payload is fetched. The payload is downloaded as a compressed ZIP file of 9.2MB in size. 

As soon as it is extracted from the zip file, the loader is responsible for executing it. When the loader reaches this stage, it collects and sends the following key pieces of data to the C2 as part of the process:-

  • System information
  • List of installed AV programs
  • Cryptocurrency wallets
  • E-banking apps

There was a certificate whose signature was stolen from ASUSTEK that was used to sign the final payload. There are even instances where Grandoreiro prompts the victim to solve the CAPTCHA answers in order to run on the system infected.

Several anti-analysis and detection avoidance features are added to the malware in order to keep it from being detected. Establishing the foundation for more stealthy operations by laying the groundwork.

Sponsored: Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...