#METABASE Q GENERATOR#
The use of the Domain Generator Algorithm (DGA)ĭetail of the analysis Analysis of the infection process.As Grandoreiro has targeted the Mexican region, constant monitoring of its indicators is essential to prevent future attacks.Ĭlass: Backdoor, Banking Trojan, Infostealer.This malware allows the remote collection of user and banking data by using dynamic domains.The victims are account holders of multiple Mexican banks.This campaign is active in Mexico and is distributed through spam emails.Theft of online banking credentials from account holders. With the intention of contributing to the protection of the region, we have decided to share these indicators for the benefit of the Mexican banking sector. In this blog, we describe the process followed by the Threat Intelligence Team to decipher the DGA algorithm used by Grandoreiro in a recently active campaign in Mexico, which allowed us to predict the future malicious domains to be used by actors for the rest of 2022, and with this, protect account holders of our banking customers proactively. Being able to decipher this type of algorithm would allow an organization to monitor, detect, block and therefore, anticipate future attacks by these actors. This banking trojan is used as a backdoor to allow the attacker to access the victim’s devices and thus steal their banking information in the online banking sessions they open.Ī common feature of this type of banking trojans is the use of different domain generator algorithms (DGA) that make it difficult for organizations to block outgoing malicious traffic since multiple domains are generated, even on a daily basis. Grandoreiro is a Banking Trojan written in Delphi language that emerged in 2017, attacking mainly Brazil and some Latin American countries. Attack chains involving the Delphi malware leverage email messages urging recipients to open fake overdue invoices, thereby triggering a multi-stage infection process.By Leonardo Beltran & Diana Tadeo Metabase Q’s Ocelot Team Context It's also said to share similarities with other banking trojans targeting the region, like Grandoreiro, Javali, and Lampion. "One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected," researchers Fernando García and Dan Regalado said. Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes.
The activity, which commenced in August 2022, is currently ongoing, the Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads.
0 kommentar(er)
