Banking Trojans Resurface: Grandoreiro & BTMOB Targeting LATAM & EU
Just caught the latest reports from WatchGuard and ESET regarding the resurgence of banking trojans. It looks like threat actors are heavily targeting Windows users in Spain, Portugal, and Mexico with Grandoreiro, while mobile users in Brazil are getting hit with the BTMOB RAT.
Grandoreiro isn't exactly new, but the delivery vectors are evolving. We're seeing a lot of phishing lures dropping MSI installers. Once inside, it maintains persistence via Registry Run keys and uses sophisticated DNS tunneling for C2. For the Windows side, I've updated our Sigma rules to catch the specific msiexec execution chains often associated with this campaign.
Here is a basic PowerShell snippet to hunt for suspicious persistence keys often used by Grandoreiro variants:
Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' |
Where-Object { $_.PSObject.Properties.Name -match '^[a-zA-Z]{8,}$' -and $_.PSObject.Properties.Value -match '\.exe$' }
On the Android front, BTMOB RAT is concerning because it abuses Accessibility Services to overlay login screens. MDMs are catching some of this, but side-loading remains a massive vector.
Since these campaigns are geographically focused but liable to spread, how is everyone handling the mobile detection piece? Are you relying solely on Google Play Protect, or have you implemented network-level TLS inspection to catch the C2 traffic on mobile devices?
We block all MSI files from the internet at the edge. It breaks a few legitimate software installers, but for us, the security trade-off is worth it to stop the initial Grandoreiro dropper. For BTMOB, we've had success pushing a specific AppLocker policy on our corporate Android devices that prevents apps from requesting Accessibility Services unless they are explicitly whitelisted. It's a bit of a management overhead, but it neutralizes the overlay attacks effectively.
Good catch on the DNS tunneling. We've actually set up a KQL query in Sentinel to look for clients resolving a high number of unique subdomains within a short timeframe, which is a signature of Grandoreiro's C2.
DnsEvents
| where Timestamp > ago(1h)
| summarize count() by ClientIP, Subdomain = tostring(split(Name, '.')[0])
| where count_ > 50
| project ClientIP, Subdomain
It generates some noise with certain CDNs, but it's been a solid indicator of compromise for this specific family.
I'm more worried about the BTMOB RAT's SMS exfiltration capabilities. Even if we catch the infection, the data might already be gone. We've started monitoring for abnormal SMS usage patterns on corporate-owned devices. If a phone suddenly starts blasting messages to international numbers not in the contacts list, we quarantine it via Intune immediately. Has anyone analyzed the latest BTMOB samples to see if they've changed their encryption method for the exfiltrated data?
Since Grandoreiro relies heavily on Registry persistence, we've started hunting for unusual entries in the Run keys during our weekly endpoint audits. It helps catch remnants even if the initial MSI bypassed the edge filters.
Here is a quick PowerShell snippet we use to spot anomalies:
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue | Select-Object PSPath, * -ExcludeProperty PSProvider, PSParentPath, PSChildPath
Great insights on detection. Beyond Registry Run keys, Grandoreiro is known to abuse Scheduled Tasks for persistence. For those who can't block MSIs, consider auditing Scheduled Tasks created by non-admins. This PowerShell snippet helps find anomalies:
Get-ScheduledTask | Where-Object {$_.Principal.UserId -ne 'SYSTEM' -and $_.State -eq 'Ready'}
Given the LGPD/GDPR targets here, documenting these findings is crucial for compliance reporting.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access