Categories: cyber securityMalware

Beware of Coronavirus-themed Grandoreiro Malware Attacks Bank Customers Via Chrome Plugin

Researchers observed a massive campaign of Grandoreiro, a remote-overlay banking Trojan targets the large Spanish banking customers to empty their banking accounts via a fake chrome browser plugin.

Malspam campaign distributes Grandoreiro malware, tricked the users to run the COVID-19 themed videos to infect the user machine.

After that, it enables the fake chrome browser extension to steal the victim banking site cookies for fraudulent money transactions.

Grandoreiro Malware operators expanding the scope from Brazil to Spain banking customers

Eset Researchers observed fake websites abusing novel coronavirus themed video named “video-china02712.zip” targets brazil bank customers to infect with Grandoreiro banking trojan in February.

COVID-19 themed video downloads Malware

The remote-overlay malware began trending in Brazil in the year of 2014 and become the top financial malware threat across the Latin America region.

IBM X-Force researchers Observed the first stage of infection containing a URL that redirects to masked invoice files with a.msi extension placed in Github repository.

The loader fetches the second stage of Grandoreiro payload via hardcoded URL to download and infect the device.

Some sample images show that it also asks users to install a supposed security application as below:

Fake App

Grandoreiro bot communicates with its C&C server using a communication algorithm, which generates the second part of the path as below, but this connection establishes based on the infected device’s set date has to match with a recent campaign date in order to successfully connect the C&C server. This gives an operational security feature on the attacker side and also C2 server is encrypted and transmitted over SSL protocol.

hxxps://sites.google[.]com/view/brezasq12xwuy

Bot communication HTTP Pattern

The malware writes a compressed archive file named ext.zip from which it will extract additional files, placing them into a directory under C:/%user%/*extension folder*/*.

The extracted files are modified versions of an existing, legitimate Google Chrome browser extension called Edit This Cookie.

In the next step to setup the fake browser, the new Chrome browser shortcut contains a “—load-extension” parameter to load the new extension upon starting the browser.

Fake chrome browser Plugin

Here is an example of a target path of fake browser plugin:

“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –load-extension=”%userprofile%\F162FD4091BD6D9759E60C3″

Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it “Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie” button on the original plugin.

Fake chrome browser plugin permissions

Using the modified extension, the attacker can collect user information from cookies. Some of the collected information includes the following fields:

{“url”,“tabid”,“PASSANDO,PARAMETRO”,“cookie”,“name”,“domain”,“value”,“expired”,“FormData”,“WEBMAIL”,“LoginForm[password]”,“CHECKBOX_TROCA_SENHA”,“ccnumber”}

Researchers suspect that the malware uses this extension to grab the victim’s cookies to make fraudulent money transactions. With this method, the attacker won’t need to continue controlling the victim’s machine.

Indicators of compromise (IoC):

2804007ed7e315cd468e265f93f6b19e680f0f0f
666299795f7ea6fda8a8b5aaf7a8287d6e427a8a
caace6841a4ca5fde5c67e676d140ade
0ec58f736218541045fac6990e182700
08710023c219f26237a9c8de5454a1de17117a2da651b4391afce8e331f31dfa
3bbd2beaa7953543e3cfb09d064db83b11034ff81255429b82e2de40d661ee29
f235cab363958022d0194fa924742be4292932af0e39e98fe8baca4157acc981
e7788de1702a9accd5bbd3d3f1d1e5507c7739ec28857dd46d16b029f0c1c809
b1e4ae121886039ea865549d0cb81f1f954056545a5aec487a538ae5f616bb52
http://rebrand(.)ly/2ksdjpp
http://13.72.105(.)98:443/APfunkdrawer.iso
http://13.72.105(.)98:443/964CE715CF7BB75B.zip
http://13.72.105(.)98/apfunkdrawer.iso

Related Read

CoronaVirus Cyber Attack Panic – Threat Actors Targets Victims Worldwide

Chinese APT Hackers Exploit MS Word Bug to Drop Malware Via Weaponized Coronavirus Lure Documents

How Can The Coronavirus (COVID-19) Disrupt Cybersecurity Operations?

HemaVijay

View Comments

  • We have to be more accurate on internet right now. I've seen lots of scam cases already. That's why I prefer using only that soft I'm confident in. I spent most of my isolation time in COVID-19 chat in Utopia p2p. Latest news, which can't be found in a mass media, and a simple support from people.

Recent Posts

Cyberhaven Hacked – Chrome Extension With 400,000 users Compromised

Cyberhaven, a prominent cybersecurity company, disclosed that its Chrome extension With 400,000+ users was targeted…

2 hours ago

AT&T and Verizon Hacked – Salt Typhoon Compromised The Network For High Profiles

AT&T and Verizon Communications, two of America's largest telecommunications providers, have confirmed they were targeted…

2 hours ago

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

2 days ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

2 days ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

2 days ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

2 days ago