Monday, July 15, 2024

Beware of Coronavirus-themed Grandoreiro Malware Attacks Bank Customers Via Chrome Plugin

Researchers observed a massive campaign of Grandoreiro, a remote-overlay banking Trojan targets the large Spanish banking customers to empty their banking accounts via a fake chrome browser plugin.

Malspam campaign distributes Grandoreiro malware, tricked the users to run the COVID-19 themed videos to infect the user machine.

After that, it enables the fake chrome browser extension to steal the victim banking site cookies for fraudulent money transactions.

Grandoreiro Malware operators expanding the scope from Brazil to Spain banking customers

Eset Researchers observed fake websites abusing novel coronavirus themed video named “” targets brazil bank customers to infect with Grandoreiro banking trojan in February.

Grandoreiro Malware Attacks
COVID-19 themed video downloads Malware

The remote-overlay malware began trending in Brazil in the year of 2014 and become the top financial malware threat across the Latin America region.

IBM X-Force researchers Observed the first stage of infection containing a URL that redirects to masked invoice files with a.msi extension placed in Github repository.

The loader fetches the second stage of Grandoreiro payload via hardcoded URL to download and infect the device.

Some sample images show that it also asks users to install a supposed security application as below:

Grandoreiro Malware Attacks
Fake App

Grandoreiro bot communicates with its C&C server using a communication algorithm, which generates the second part of the path as below, but this connection establishes based on the infected device’s set date has to match with a recent campaign date in order to successfully connect the C&C server. This gives an operational security feature on the attacker side and also C2 server is encrypted and transmitted over SSL protocol.


Bot communication HTTP Pattern

The malware writes a compressed archive file named from which it will extract additional files, placing them into a directory under C:/%user%/*extension folder*/*.

The extracted files are modified versions of an existing, legitimate Google Chrome browser extension called Edit This Cookie.

In the next step to setup the fake browser, the new Chrome browser shortcut contains a “—load-extension” parameter to load the new extension upon starting the browser.

Fake chrome browser Plugin

Here is an example of a target path of fake browser plugin:

“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –load-extension=”%userprofile%\F162FD4091BD6D9759E60C3″

Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it “Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie” button on the original plugin.

Grandoreiro Malware Attacks
Fake chrome browser plugin permissions

Using the modified extension, the attacker can collect user information from cookies. Some of the collected information includes the following fields:


Researchers suspect that the malware uses this extension to grab the victim’s cookies to make fraudulent money transactions. With this method, the attacker won’t need to continue controlling the victim’s machine.

Indicators of compromise (IoC):


Related Read

CoronaVirus Cyber Attack Panic – Threat Actors Targets Victims Worldwide

Chinese APT Hackers Exploit MS Word Bug to Drop Malware Via Weaponized Coronavirus Lure Documents

How Can The Coronavirus (COVID-19) Disrupt Cybersecurity Operations?


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles