Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

Briefly

"Grandoreiro is an actively evolving banking malware that's capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories. It's typically distributed via phishing emails, instructing recipients to click on sketchy links. Despite some arrests and attempts by Brazilian authorities to dismantle its infrastructure in early 2024, the malware has continued to expand its targeting footprint, while incorporating CAPTCHA checks to resist analysis."

"The latest campaign flagged by WatchGuard has been found to leverage DLL side-loading to launch DLLs that are developed in Delphi 11, a programming language commonly used for malware targeting the region. Two of the DLLs - mingwm10.dll and libwebp.dll - have been found to incorporate sgcWebSockets, a WebSocket and real-time communication library, for peer-to-peer (P2P) and WebRTC communications."

""The DLLs associated with this case use the Session Traversal Utilities for NAT ( STUN) protocol, which is a protocol that helps devices behind a NAT discover their public IP address and port number, enabling peer-to-peer communication," WatchGuard explained."

""The advantage for threat actors to use web conferencing traffic in their campaigns is due to this traffic being noisy, being difficult to monitor, and due to WebRTC being commonly used across all major web-conferencing platforms.""