Researchers observed a massive campaign of Grandoreiro, a remote-overlay banking Trojan targets the large Spanish banking customers to empty their banking accounts via a fake chrome browser plugin.
Malspam campaign distributes Grandoreiro malware, tricked the users to run the COVID-19 themed videos to infect the user machine.
After that, it enables the fake chrome browser extension to steal the victim banking site cookies for fraudulent money transactions.
Eset Researchers observed fake websites abusing novel coronavirus themed video named “video-china02712.zip” targets brazil bank customers to infect with Grandoreiro banking trojan in February.
The remote-overlay malware began trending in Brazil in the year of 2014 and become the top financial malware threat across the Latin America region.
IBM X-Force researchers Observed the first stage of infection containing a URL that redirects to masked invoice files with a.msi extension placed in Github repository.
The loader fetches the second stage of Grandoreiro payload via hardcoded URL to download and infect the device.
Some sample images show that it also asks users to install a supposed security application as below:
hxxps://sites.google[.]com/view/brezasq12xwuy
The malware writes a compressed archive file named ext.zip from which it will extract additional files, placing them into a directory under C:/%user%/*extension folder*/*.
The extracted files are modified versions of an existing, legitimate Google Chrome browser extension called Edit This Cookie .
In the next step to setup the fake browser, the new Chrome browser shortcut contains a “—load-extension” parameter to load the new extension upon starting the browser.
Here is an example of a target path of fake browser plugin:
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –load-extension=”%userprofile%\F162FD4091BD6D9759E60C3″
Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it “Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie” button on the original plugin.
Using the modified extension, the attacker can collect user information from cookies. Some of the collected information includes the following fields:
Researchers suspect that the malware uses this extension to grab the victim’s cookies to make fraudulent money transactions. With this method, the attacker won’t need to continue controlling the victim’s machine.
Indicators of compromise (IoC):
Related Read
CoronaVirus Cyber Attack Panic – Threat Actors Targets Victims Worldwide
Chinese APT Hackers Exploit MS Word Bug to Drop Malware Via Weaponized Coronavirus Lure Documents
How Can The Coronavirus (COVID-19) Disrupt Cybersecurity Operations?
Interesting Topic. But find it difficult to understand as a common man
We have to be more accurate on internet right now. I’ve seen lots of scam cases already. That’s why I prefer using only that soft I’m confident in. I spent most of my isolation time in COVID-19 chat in Utopia p2p. Latest news, which can’t be found in a mass media, and a simple support from people.
cvv cc dumps dark web cc sites