Authorities in Spain warn that a false email is circulating that impersonates the identity of WhatsApp and that it seeks to download the Grandoreiro banking Trojan.
The Internet User Security Office of Spain (OSI) and the Civil Guard have recently warned about a phishing campaign in which they try to impersonate WhatsApp to distribute the Grandoreiro banking trojan. The fake email tries to make potential victims believe that it is an official communication by inviting them to download a backup copy of the conversations and call history in the messaging application.
As can be seen in the image of the email that impersonates WhatsApp, the message includes an attachment named “Open_Document_513069.html”. As indicated by its extension, it is an HTML file that contains a URL shortened by the bitly service. According to an analysis carried out in the ESET Latin America laboratory of the attached HTML, clicking it redirects to a site from which a .zip file is downloaded. That compressed file contains a MSI installer which downloads the threat. In this case, it is the Grandoreiro banking Trojan. According to ESET systems, this variant is detected as Win32 / Spy.Grandoreiro.BB.
If the user runs the downloaded file, the computer has probably been infected with the malware.
As they explain from the website of the Internet Security Office, it is not ruled out that there are other emails in circulation with different subjects.
In fact, in March of this year a similar phishing campaign in which the identity of WhatsApp was spoofed using the same excuse, and there are also records of a similar campaign in 2020.
About the Grandoreiro Trojan
In April of last year we published a detailed analysis of Grandoreiro, a banking Trojan written in Delphi that shares many features with other very active Trojan families in Latin America. Some of these families, such as Grandoreiro or Mekotio, have expanded beyond Latin America and began targeting their campaigns to users in Spain and other European countries.
In 2020, Grandoreiro had a presence mainly in countries such as Brazil, Spain, Mexico and Peru. And shortly after the pandemic was decreed, emails were detected in which the COVID-19 theme was used to deceive users, as well as campaigns targeting Spain supplanting the identity of the Tax Agency.
Once it has infected the victim’s computer, the main objective of this Trojan is to steal banking credentials by means of fake pop-ups that make the victim believe that it is the official site of the bank. In addition, like the other Latin American banking Trojans, it has backdoor functionalities that allow the attacker to perform other malicious actions on the compromised computer, such as logging keystrokes (keylogging), simulate mouse and keyboard actions, log off the victim, block access to certain sites, or even restart the computer, to name a few of its capabilities.
According to ESET telemetry data, the logs from the last 90 days for the same Grandoreiro variant detected in this campaign that impersonates WhatsApp show Trojan activity mainly in Spain, but also in Mexico and Brazil. This does not mean that the same campaign is circulating in these countries, but neither can we rule out the possibility that this same social engineering strategy will not be used later in campaigns that target Latin American countries, so it is important to be informed of this type of phishing campaigns to avoid falling into the trap in case of receiving an email of these characteristics.