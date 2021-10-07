ESET, a company specializing in threat detection, is issuing an alert about a fake email that tries to make victims believe it is an official WhatsApp communication, but that aims to distribute the banking Trojan Grandoreiro.

Trojan-type viruses require actions from their victims to install themselves on machines, such as executing a file received via email. These scams also make use of social engineering techniques, such as phishing, to trick users into falling for scams.

According to ESET’s alert, the message invites recipients to download a backup copy of WhatsApp conversations and call history. In the email, an attachment named “Open_Document_513069.html” is made available, and when it is opened the user is redirected to a website where a .zip file is downloaded.

Example of an email that is distributing Grandoreiro. (Image: Disclosure/ESET)

The .zip file, when opened, runs an MSI installer that is responsible for downloading Grandoreiro, infecting the victim’s machine.

According to data from the analysis carried out by ESET, infections by the banking Trojan variant found in the fake WhatsApp email are on the rise mainly in Spain, Mexico and Brazil.

The head of the ESET Security Laboratory, Camilo Gutiérrez Amaya, points out, however, that the finding of the same Trojan variant in different countries does not mean that the same distribution campaign is being used in them, but the possibility cannot be ruled out. Amaya also points out that because of this uncertainty, it is important for companies and users to be informed about active malware campaigns.

The ESET report does not rule out that there are emails in circulation with different subjects, citing as an example cases of distribution of Grandoreiro in thematic messages about the covid-19 pandemic, in mid-2020.

the grandoreiro trojan horse

Grandoreiro, according to an analysis published by ESET, is a banking trojan written in the Delphi programming language and, during 2020, found mainly in Brazil, Spain, Mexico and Peru. After infecting the victim’s computer, Grandoreiro’s main objective is to steal bank credentials through fake pop-ups that make the victim believe it is the bank’s official website, setting up phishing scams.

In addition, like other banking Trojans active in Latin America, Grandoreiro has functionality for backdoor, that is, access to the infected system and remote control of the machine, which allow the criminal to perform other malicious actions on the compromised computer, such as:

How to record keystrokes (keylogging);

Simulation of mouse and keyboard actions, making the computer click on things that were not intended by the user;

Victim Logout;

Blocks access to certain websites;

Or even computer reboot.

Grandoreiro is identified by leading antivirus solutions on the market, such as Windows Defender, Kaspersky programs, Avast, AVG and ESET. If you receive a suspicious email, avoid downloading attachments provided by the message and, for safety, perform a threat scan of protection software on your machine.