Researchers are warning of a remote overlay malware attack that leverages a fake Chrome browser plugin to target the accounts of banking customers in Spain.

Grandoreiro is a type of remote overlay banking trojan, designed to help attackers overtake devices and display a full-screen overlay image when victim accesses their online banking account. In the background, meanwhile, the attacker initiates a fraudulent money transfer from the compromised account. The Grandoreiro malware, at the heart of this attack, is commonly known for exclusively targeting banking customers in Brazil – so this latest attack shows its operators expanding to victims in new countries.

The campaign, uncovered as early as February 2020, uses coronavirus-themed videos (sent via malspam messages) to trick users to click on a URL that takes them to a boobytrapped website, said Dani Abramov and Limor Kessem, researchers with IBM X-Force, in an analysis of the malware posted Monday.

On that boobytrapped website, victims are then persuaded to download an .MSI file from a Github repository, which is actually the malware loader. The Grandoreiro payload is then fetched via a hardcoded URL within the loader’s code.

After download, Grandoreiro establishes a connection with its command-and-control (C2) server, which researchers say allows the malware to send notifications about machine information and facilitate remote access capabilities to the attacker when a victim accesses a banking site.

One unique technique utilized by Grandoreiro’s operators is the download of a malicious extension for the Google Chrome browser. This extension pretends to be a “Google Plugin” version 1.5.0., and is added as a visually square button to the browser window.

The extension asks victims for various permissions, including reading victim browsers’ history, displaying notifications, modifying data that’s copied and pasted and more.

“We suspect that the malware uses this extension to grab the victim’s cookies and use them from another device to ride the victim’s active session,” said researchers. “With this method, the attacker won’t need to continue controlling the victim’s machine.”

Once active on the infected device, Grandoreiro waits in the background for the victim to take an action that will trigger it, such as browsing to a targeted bank’s website. When that happens, the attacker invokes the remote-access feature of the malware and launches malicious images (of the targeted banks’ interface) on the victims’ screen, tricking them into keeping the session alive and providing information (like credentials, etc.) that can help the attacker. Then, in the background, the attacker can initiate a fraudulent transfer to drain the victims’ account – without setting off any red flags to the banks.

Location Expansion

Researchers observed the samples of the malware targeting victims in Spain were very similar in their source code – 80 to 90 percent identical – to those from Brazil.

This led them to conclude that the original attackers have either spread their attacks to a new region, or are collaborating with other attackers in Spain. Remote-overlay trojans are easy to find and purchase in underground and dark web markets, researchers noted.

“Grandoreiro… has migrated to Spain without significant modification, proving that attackers who know the malware from its Brazilian origins are either collaborating with attackers in Spain or have themselves spread the attacks to the region,” said researchers.

Researchers said that typically larger sophisticated trojans, like TrickBot and IcedID, are found being used against large banks in various countries – but the similarities in language between Latin America and other Spanish-speaking countries allow smaller malware strains like Grandoreiro to be leveraged in new locations.

“[We] continue to see [malware spread] in the LATAM region and wherever else the language barrier can enable the same cybercriminals to operate, namely Spanish/Portuguese-speaking countries outside of LATAM,’ they said.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.