Brazil gets hit by the Grandoreiro Banking Trojan as Smishing Scams Increase in Pakistan

Brazil gets hit by the Grandoreiro Banking Trojan as Smishing Scams Increase in Pakistan

The Smishing Triad is a threat actor that has expanded its reach outside the United States, the United Arab Emirates, Saudi Arabia, and the European Union. Its current target is Pakistan.

Resecurity stated in a study released earlier this week that "the group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS." "The goal is to steal their personal and financial information."

The threat actors, who are thought to speak Chinese, are well-known for using stolen datasets that are sold on the dark web to send phony text messages that lure receivers into clicking on links pretending to tell them that their product has not arrived as expected and that they need alter their address.

In the event that users click on the URLs, they are sent to fraudulent websites where they are asked to provide financial information in order to process what they believe to be a service fee for redelivery.

"Besides Pakistan Post, the group was also involved in detecting multiple fake delivery package scams," Resecurity stated. "These scams primarily targeted individuals who were expecting legitimate packages from reputable courier services such as TCS, Leopard, and FedEx."

The development coincides with Google's disclosure of information about PINEAPPLE, a threat actor that uses spam messages with tax and finance-themed lures to trick Brazilian users into clicking on malicious links or files that eventually launch the information-stealing malware known as Astaroth (also known as Guildma).

Google's Mandiant and Threat Analysis Group (TAG) stated that "PINEAPPLE frequently abuses legitimate cloud services in their attempts to distribute malware to users in Brazil." "The group has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft Azure and others."

It's important to note that Cisco Talos reported the misuse of Google Cloud Run to spread Astaroth earlier in February, characterizing it as a high-volume malware distribution operation aimed at consumers in Europe and Latin America (LATAM).

With a backdoor dubbed URSA that can steal login credentials for different banks, cryptocurrency websites, and email clients, the internet behemoth claimed it has also noticed a threat cluster situated in Brazil that it monitors as UNC5176 that targets the financial services, healthcare, retail, and hospitality industries.

The assaults use emails and malvertising campaigns to spread a ZIP file that contains an HTML Application (HTA) file. When the HTA file is accessed, a Visual Basic Script (VBS) is dropped, which initiates a remote server connection and retrieves a second-stage VBS file.

Following the download, the VBS file performs a number of anti-sandbox and anti-VM tests before communicating with a command-and-control (C2) server to get and run the URSA payload.

FLUXROOT, a third financially motivated player headquartered in Latin America that Google has highlighted, is connected to the Grandoreiro banking trojan's dissemination. The business claimed to have removed phishing websites that looked like Mercado Pago and were hosted by the enemy on Google Cloud in 2023 with the intention of obtaining user passwords.

"More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services such as Azure and Dropbox to serve the malware," it stated.

The revelation coincides with the appearance of a new threat actor known as Red Akodon, who has been observed disseminating a number of remote access trojans, including AsyncRAT, Quasar RAT, Remcos RAT, and XWorm, via phishing emails intended to obtain credentials, bank account information, and email addresses.

The campaign, which has been running since April 2024, targets Colombia's banking, manufacturing, food, services, transportation, and health and education sectors in addition to government agencies.

"Red Akodon's initial access vector occurs mainly using phishing emails, which are used as a pretext for alleged lawsuits and judicial summonses, apparently coming from Colombian institutions such as the Fiscalía General de la Nación and Juzgado 06 civil del circuito de Bogotá," Scitum, a Mexican cybersecurity firm, stated.