“Some groups of criminals even take vacations,” says Josep Albers, director of research and awareness at cybersecurity company ESET Spain. The last time they detected the Grandoriro banking malware sample was last May, However, it seems the attackers have returned to the field.
Albers assures that cybercriminals have reused a false Vodafone invoice that was already sent via email in 2020. Refers to the subject of the email an alleged fine and in the body of the message they talk payment deadline Which gives the user a sense of urgency so that they don’t think about the possibility that it is a scam.
Cybercriminals provide two ways to access false invoices: In PDF format or in VBS format. Whatever option the victim chooses, they will be redirected to download a compressed folder from a server controlled by the spoofers.
For months, Grandoreiro has been almost dormant and scammers have used this time to repair it. Albers describes that “the executable included in the downloaded compressed file acts as a downloader and is not the one that was commonly used until recently.” experts believe that This enhanced version is specially made for this phishing campaign.
“This downloader links to a URL that criminals have devised and from where it gets two other links Which are generated on every visit,” says Albers. The first link downloads an XML file that contains a payload that belongs to a banking computer virus.
On the other hand, PHP redirects to a page of the file ‘Google.com’ Which the researchers believe could be used as some kind of record of the victims. According to ESET, despite its mistakes in trying to hide the infrastructure, Such threats have been used for years In other countries like Latin America and Spain and infecting many mobiles.
The computer security company recommends distrusting messages that mention fines invoiced by us. In such cases, Users should delete direct mailWithout opening the files or clicking on the given link.
Sign up for our newsletter and receive the latest tech news in your email.