From Copacabana to Barcelona: The Cross-Continental Threat of Brazilian Banking Malware

Proofpoint researchers have discovered a new version of the Grandoreiro malware that is targeting victims in both Mexico and Spain. This is unusual as the malware has historically only targeted Portuguese and Spanish speakers in Brazil and Mexico. Brazil has become a hotspot for cyber threats, with a growing number of people online and a high adoption of online banking. The Brazilian banking malware, including Grandoreiro, is typically delivered through email with various lures such as shared documents and utility bills. Once a victim clicks on the URL, the malware is downloaded and steals data through keyloggers and screen-grabbers, as well as stealing bank login information through overlays on banking sites. The recent campaigns of Grandoreiro targeting both Mexico and Spain indicate an expansion of its capabilities to include banks in multiple geographic regions. The threat actor behind this malware, known as TA2725, has been observed targeting organizations in Brazil and Mexico, as well as consumer credentials for Netflix and Amazon accounts. The researchers expect to see an increase in targeting outside of Latin America as the global supply chain becomes more interconnected.