Attacks with the Grandoreiro banking trojan have been deployed against individuals in Mexico, Argentina, and Spain as part of recent phishing campaigns, SecurityWeek reports.
Malicious emails purporting to be tax penalty warnings that use OVHcloud infrastructure have been leveraged to redirect targets to Contabo-hosted servers and facilitate the download of Grandoreiro, according to an analysis from Forcepoint. "Once executed, the malware steals credentials, searches for Bitcoin wallet directories, and connects to a [command-and-control] server. Attackers frequently change subdomains under contaboserver[.]net to evade detection," said Forcepoint researchers, who urged users to not only be vigilant of unknown emails but also adopt various cybersecurity-enhancing tools. Such a development comes after Grandoreiro was reported to have expanded its targeted banks and cryptocurrency wallets by the end of 2024 after being disrupted by law enforcement efforts earlier in the year and in 2021, indicating the banking trojan's enduring nature.
